[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP 2.1.19 and ACLs

I have this nice set of ACLs that I created for my openldap 2.0.27
server.. now I'm trying to upgrade things to openldap 2.1.19 but the
acls refuse to work correctly..

I've now proceeded to strip them down and rebuild them from scratch on
the 2.1.19 server.. here it is..

access to dn="" by * read
access to dn="cn=Subschema" by * read

access to dn="uid=.*,ou=People,o=MyOrg,c=US"
    by self write
    by anonymous auth

access to dn="uid=.*,ou=People,o=MyOrg,c=US"
    by self write

access to dn="uid=.*,ou=People,o=MyOrg,c=US" attrs=entry
    by self read

access to dn="ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
    by dn="uid=$1,ou=People,o=MyOrg,c=US" write

access to dn="cn=.*,ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
    by dn="uid=$1,ou=People,o=MyOrg,c=US" write

access to *
    by * none

I turned on loglevel 128 and am watching the acl trace..
This is what is happening... I run
$ ldapsearch -U user@dom.tld -s base -w test -b
and it works as expected and returns the userpassword attr, and th horde
prefs attrs.

when I do this however
$ ldapsearch -U user@dom.tld -s sub -w test -b
it returns  exactly the same thing and does not return any of the
entries in the ou=Address Boook.
in the log it tells me that when it tries to look up objectClass in
"ou=Address Book,uid=user@dom.tld,ou=people,ou=MyOrg,c=US" it matches
dnpat[3] NOT dnpat[4] like it should.. So every ACL request is matching
the "uid=.*,ou=People,o=MyOrg,c=US" rule

Also I can not get group acls to work either in 2.1.19 ie..
(by group="cn=admin,ou=Group,o=MyOrg,c=US" write)
AS those where in there but when slapd traced through those it say that
the user was not in the member attribute of the group (it found the
group) even though it IS!!

This did not happen with 2.0.27... Any ideas??
I'm running RH 7.3 w/ the open-it.org RPMS (rebuilt on my system of

Edward Rudd <eddie@omegaware.com>