Re: ACL's and madness

[Ziya Suzen <ziya@ripe.net>]

On 2003-02-20 07:00:22 +0000, Tom Possin wrote:
> On Thu, 2003-02-20 at 01:53, Ziya Suzen wrote:
> > Can you post the version with the parentheses.
> 
> Here is the FAQ-O-Matic version verbatim
> (I have tried using these parentheses in desparation but they realy do
> seem to be either a mistake or an attempt to "clarify")

parentheses are the key here. They create back-references meaning, $1
is whats matched within the first parentheses. ($2 is second etc.)

I'd recommend googling for a 'regex tutorial' for more information on
regexes.

Other problem might be the order of access directives. I.e. in your
previous post if you were trying to insert an object with
'userPassword' attribute, it wouldn't be successful because it is only
allowed to 'self' and 'cn=manager,...'. Although the second directive
allows the user to write anything below its own node, after first
directive being matched ACL evaluation stops.

Also running the server with debug options would help a lot.

 'slapd -d128'

You might want to have a look at the following pages:

 http://www.openldap.org/doc/admin/slapdconfig.html
  (especially 5.3.4. Access Control Evaluation)

 http://www.openldap.org/doc/admin/runningslapd.html
  (Table 6.1: Debugging Levels)

Ziya.

> 
> access to dn=".*,(uid=.*,o=Company)"
>         by dn="$1" write
>         by anonymous auth
>   access to *
>         by self write
>         by anonymous read
> -- 
> Tom
> ***********************************************
> A computer once beat me at chess...
> But, as it turns out, it was no match for me at kick boxing.