[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Subtree ACL Problem
>At this point, you may want to use the debugging options of slapd. You can
>start with '-d 128' and check how slapd uses your ACL statements.
Ok, sounds cool. I'm stumped again, I get the following output:
----------------------------------------------------------------------
=> acl_get: entry (cn=Adam Williams,ou=People,o=Morrison Industries, c=US) attr
(mobile)
<= acl_get: [4] backend acl cn=Adam Williams,ou=People,o=Morrison Industries,
c=US attr: mobile
=> acl_access_allowed: write access to entry "cn=Adam
Williams,ou=People,o=Morrison Industries, c=US"
=> acl_access_allowed: write access to value "6163401149" by "CN=ADAM
WILLIAMS,OU=PEOPLE,O=MORRISON INDUSTRIES,C=US"
<= ldbm_back_group: "CN=ADAM WILLIAMS,OU=PEOPLE,O=MORRISON INDUSTRIES,C=US" not
in "CN=CIS,OU=GROUPS,O=MORRISON INDUSTRIES,C=US": roleOccupant
<= acl_access_allowed: denied by default (no matching by)
------------------------------------------------------------------------
Which tells me it is using access rule #4 which is:
------------------------------------------------------------------------
access to *
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=Morrison
Industries,c=US" write
------------------------------------------------------------------------
so the interpretation is correct, I should not have write access. What
I don't understand is why it doesn't match rule #3 for which I've
tried both:
-------------------------------------------------------------------------
access to dn=".*,ou=People,o=Morrison Industries,c=US"
attrs=children,entry,uid
by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,o=Morrison
Industries,c=US" write
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=Morrison
Industries,c=US" write
-----and-----------------------------------------------------------------
access to dn="ou=People,o=Morrison Industries,c=US"
attrs=children,entry,uid
by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,o=Morrison
Industries,c=US" write
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=Morrison
Industries,c=US" write
-------------------------------------------------------------------------
The data in "cn=personel,ou=Groups,o=Morrison Industries,c=US" is:
cn=personel,ou=Groups,o=Morrison Industries, c=US
cn=personel
gidnumber=238
memberuid=dcommire
memberuid=kjohnsto
memberuid=ablood
allowprimary=Y
creatorsname=cn=Manager, o=Morrison Industries, c=US
createtimestamp=20000719041914Z
roleoccupant=cn=Adam Williams,ou=People,o=Morrison Industries,c=US
modifytimestamp=20000725094557Z
modifiersname=cn=Manager, o=Morrison Industries, c=US
objectclass=posixGroup
objectclass=top
objectclass=organizationalRole