[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP 2.1.19 and ACLs

To: OpenLDAP <openldap-software@OpenLDAP.org>
Subject: OpenLDAP 2.1.19 and ACLs
From: Edward Rudd <eddie@omegaware.com>
Date: 06 Jun 2003 12:50:31 -0500
Organization:

I have this nice set of ACLs that I created for my openldap 2.0.27
server.. now I'm trying to upgrade things to openldap 2.1.19 but the
acls refuse to work correctly..

I've now proceeded to strip them down and rebuild them from scratch on
the 2.1.19 server.. here it is..

access to dn="" by * read
access to dn="cn=Subschema" by * read

access to dn="uid=.*,ou=People,o=MyOrg,c=US"
attr=userPassword,objectClass
    by self write
    by anonymous auth

access to dn="uid=.*,ou=People,o=MyOrg,c=US"
attrs=hordePrefs,impPrefs,turbaPrefs
    by self write

access to dn="uid=.*,ou=People,o=MyOrg,c=US" attrs=entry
    by self read

access to dn="ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
attr=children,objectClass
    by dn="uid=$1,ou=People,o=MyOrg,c=US" write

access to dn="cn=.*,ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
    by dn="uid=$1,ou=People,o=MyOrg,c=US" write

access to *
    by * none


I turned on loglevel 128 and am watching the acl trace..
This is what is happening... I run
$ ldapsearch -U user@dom.tld -s base -w test -b
"uid=user@dom.tld,ou=people,o=MyOrg,c=us"
and it works as expected and returns the userpassword attr, and th horde
prefs attrs.

when I do this however
$ ldapsearch -U user@dom.tld -s sub -w test -b
"uid=user@dom.tld,ou=people,o=MyOrg,c=us"
it returns  exactly the same thing and does not return any of the
entries in the ou=Address Boook.
in the log it tells me that when it tries to look up objectClass in
"ou=Address Book,uid=user@dom.tld,ou=people,ou=MyOrg,c=US" it matches
dnpat[3] NOT dnpat[4] like it should.. So every ACL request is matching
the "uid=.*,ou=People,o=MyOrg,c=US" rule

Also I can not get group acls to work either in 2.1.19 ie..
(by group="cn=admin,ou=Group,o=MyOrg,c=US" write)
AS those where in there but when slapd traced through those it say that
the user was not in the member attribute of the group (it found the
group) even though it IS!!

This did not happen with 2.0.27... Any ideas??
I'm running RH 7.3 w/ the open-it.org RPMS (rebuilt on my system of
course)


-- 
Edward Rudd <eddie@omegaware.com>

Follow-Ups:
- Re: [SOLVED] OpenLDAP 2.1.19 and ACLs
  - From: Edward Rudd <eddie@omegaware.com>

Prev by Date: Fw: slapd.conf Access Question
Next by Date: Re: Deployment testimonials?
Index(es):
- Chronological
- Thread