[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI - cannot see any mistakes (typo)



Armin Wenz wrote:
I have a DIT like
c=de
- o=Demo
  - ou=user
  - ou=company
I want to deny anonymous access to the ou=user branch.

My ACL is:
access to dn=".*, ou=user, o=Demo, c=DE"
  by dn="cn=user1, ou=user, o=Demo, c=DE" write
  by anonymous auth
  by * none
access to dn=".*,c=DE"
  by dn="cn=user1, ou=user, o=Demo, c=DE" write
  by * read

When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE" I still got all entries under that branch.

In the log I read:
access_allowed: search access to "ou=user,o=MailPass Demo, c=DE"
                "objectClass" requested
dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0
dnpat: [2] .*,c=DE nsub: 0
acl_get: [2] matched

In my opinion ACL1 should match.

What have I misunderstood or done wrong?

Sorry to all who replied that fast:

This "MailPass Demo" is a typo. It means
access_allowed: search access to "ou=user,o=Demo, c=DE"
                "objectClass" requested


--

Armin Wenz