[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs, groups, and regular expressions... oh my



I have been trying to formulate an acl that will allow read access to the
ldap server, if they are a member of any of the groups.

Here is the acl I came up with:

access to *
   by group="cn=(.*),dc=example,dc=com read
   by anonymous bind
   by * none

Now as I see it anybody that is a member of any group there should get
read access to the box.  However, that of course, is not happening.

Here is a bit of the debug output that I am getting

=> acl_mask: to all values by "uid=beavis,dc=example,dc=com", (=n)
=> string_expand: pattern:  cn=(.*),dc=example,dc=com
=> string_expand: expanded: cn=(.*),dc=example,dc=com
>>> dnNormalize: <cn=(.*),dc=example,dc=com>
=> ldap_bv2dn(cn=(.*),dc=example,dc=com,0)
<= ldap_bv2dn(cn=(.*),dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=(.*),dc=example,dc=com,272)=0
<<< dnNormalize: <cn=(.*),dc=example,dc=com>
=> regex_matches: string:        uid=beavis,dc=example,dc=com
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: anonymous
<= check a_dn_pat: *
<= acl_mask: [4] applying none(=n) (stop)
<= acl_mask: [4] mask: none(=n)
=> access_allowed: search access denied by none(=n)

Looks to me like it's not expanding the regular expression to, but that's
just my guess.

Any clues????

paul wilson