[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Filters in Access Contols

To: "Nappert, Reinhard" <RNappert@unispherenetworks.com>
Subject: Re: Filters in Access Contols
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 08 Mar 2001 19:12:37 -0800
Cc: "'openldap-software@OpenLDAP.org'" <openldap-software@OpenLDAP.org>
In-reply-to: <490717515EE6D41187A60003470D7136012427@kanatamail.kanata.u nispherenetworks.ca>

At 03:08 PM 3/7/01 -0500, Nappert, Reinhard wrote:
>Hi,
>
>does anyone have a glue why the following does not work:
>
>I configured some access controls in the slapd.conf file:
>
>access to dn="o=users,o=org"
>       by dn="cn=subscription,o=operators,o=org" write
>
>access to filter="objectClass=device"
>       by dn="cn=device,o=operators,o=org" write
>
>defaultaccess read
>
>which should do the following:
>The user "cn=subscription,o=operators,o=org"  has full access rights for the
>subtree o=users,o=org. This rule works fine!
>The user "cn=device,o=operators,o=org" has full rights for entries from type
>device, which could be spread anywhere in the tree with root "o=org"

No.  It doesn't apply to "o=users,o=org" as your first rule
takes precedence.  For users other than cn=subscription,o=operators,o=org,
no access is granted by the implied "by * none" clause as
indicated below.


>When I start the LDAP Server with debug-level 128, it shows me the ACIs:
>
>ACL: access to dn=O=USERS,O=ORG
>        by dn=CN=SUBSCRIPTION,O=OPERATORS,O=ORG
>
>ACL: access to filter=(objectClass=device)
>        by dn=CN=DEVICE,O=OPERATORS,O=ORG
>
>Afterwards, I try to load with the credentials of
>CN=DEVICE,O=OPERATORS,O=ORG an object from type device. I get an
>"insufficient -access" message returned and the server-debug-level shows me:
>
>=> access_allowed: entry (o=devices,o=ORG) attr (children)
>
>=> acl_get: entry (o=devices,o=ORG) attr (children)
><= acl_get: no match
>
>=> acl_access_allowed: write access to entry "o=devices,o=ORG"
>
>=> acl_access_allowed: write access to value "any" by
>"CN=DEVICE,O=OPERATORS,O=ORG"
><= acl_access_allowed: denied by default (no matching to)




>=> access_allowed: exit (o=devices,o=ORG) attr (children)
>
>
>Apparently, slapd does not recognize the "to" part, which is really strange.
>If I work with sub-tree, it will work, but I am not sure whether it will
>always be in the same subtree.!
>
>Does anyone have an idea what is going on?
>
>Thanks
>
>Reinhard Nappert
>
>Unisphere Networks, Inc.
>110 Iber Road
>Goulbourn,  Ontario
>K2S 1E9 Canada
>
>(613) 836-1014
>Fax: (613) 836-1805

Prev by Date: RE: Problem compiling my client
Next by Date: Re: Pam Authenticate
Index(es):
- Chronological
- Thread