[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with ACL 'domain='

I'm setting up a 2.1.21 server at home, so I can test
the new server types...

The idea is/was to use ACI's in the database, so I don't
have to maintain a complicated ACL. The ACL I'm trying to
use is:
----- s n i p -----
# We need to do SASL auth, so the Root DSE must be readable to anyone
access to dn="" attr=supportedSASLMechanisms,objectClass,entry
        by domain=.*\.bayour\.com read
        by domain=localhost read
----- s n i p -----

This works if I use 'by * read'. I'm running the slapd on
and doing the search on the same host. Looking for supportedSASLMechanisms,
nothing is retreived. The IP resolvs correctly:
----- s n i p -----
[tuzjfi.tty2]$ host domain name pointer tuzjfi.bayour.com.
[tuzjfi.tty2]$ host tuzjfi.bayour.com
tuzjfi.bayour.com has address
----- s n i p -----

Looking at 'cn=Connection 2,cn=Connections,cn=Monitor', the
following is shown:
----- s n i p -----
dn: cn=Connection 2,cn=Connections,cn=Monitor
description: 2 : 3 : 2/1/0/1 : 2/2/0 : rx : cn=anonymous : ldap:/// : unknown
 : IP= : IP= : 20030722095839Z : 20030722095839Z
----- s n i p -----

Running slapd in debug mode (-d -1) shows this snippet:
----- s n i p -----
conn=0 fd=18 ACCEPT from IP= (IP=
=> test_filter
=> access_allowed: search access to "" "objectClass" requested
=> dn: [1]
=> acl_get: [1] matched
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl  attr: objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=n)
<= check a_domain_pat: .*.bayour.com
=> string_expand: pattern:  .*.bayour.com
=> string_expand: expanded: .*.bayour.com
=> regex_matches: string:        unknown
=> regex_matches: rc: 1 no matches
<= check a_domain_pat: localhost
=> string_expand: pattern:  localhost
=> string_expand: expanded: localhost
=> regex_matches: string:        unknown
=> regex_matches: rc: 1 no matches
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: search access denied by =n
<= test_filter 50
----- s n i p -----

Now, both the monitor and the debug output claims 'unknown'... Why?

Starting slapd as 'slapd -h ldap://' (or ldap://,
the supportedSASLMechanisms is shown, but NOT if I'm leaving the '-h'
option out... Why?

Thanx for any help and explanation (I got it working by using
ldap://, but I'd like to know WHY :).