Filters in Access Contols

["Nappert, Reinhard" <RNappert@unispherenetworks.com>]

Hi,

does anyone have a glue why the following does not work:

I configured some access controls in the slapd.conf file:

access to dn="o=users,o=org"
       by dn="cn=subscription,o=operators,o=org" write

access to filter="objectClass=device"
       by dn="cn=device,o=operators,o=org" write

defaultaccess read

which should do the following:
The user "cn=subscription,o=operators,o=org"  has full access rights for the
subtree o=users,o=org. This rule works fine!
The user "cn=device,o=operators,o=org" has full rights for entries from type
device, which could be spread anywhere in the tree with root "o=org"

When I start the LDAP Server with debug-level 128, it shows me the ACIs:

ACL: access to dn=O=USERS,O=ORG
        by dn=CN=SUBSCRIPTION,O=OPERATORS,O=ORG

ACL: access to filter=(objectClass=device)
        by dn=CN=DEVICE,O=OPERATORS,O=ORG

Afterwards, I try to load with the credentials of
CN=DEVICE,O=OPERATORS,O=ORG an object from type device. I get an
"insufficient -access" message returned and the server-debug-level shows me:

=> access_allowed: entry (o=devices,o=ORG) attr (children)

=> acl_get: entry (o=devices,o=ORG) attr (children)
<= acl_get: no match

=> acl_access_allowed: write access to entry "o=devices,o=ORG"

=> acl_access_allowed: write access to value "any" by
"CN=DEVICE,O=OPERATORS,O=ORG"
<= acl_access_allowed: denied by default (no matching to)

=> access_allowed: exit (o=devices,o=ORG) attr (children)


Apparently, slapd does not recognize the "to" part, which is really strange.
If I work with sub-tree, it will work, but I am not sure whether it will
always be in the same subtree.!

Does anyone have an idea what is going on?

Thanks

Reinhard Nappert

Unisphere Networks, Inc.
110 Iber Road
Goulbourn,  Ontario
K2S 1E9 Canada

(613) 836-1014
Fax: (613) 836-1805