[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap 2.0.25 acl not working for me


   I'm trying to get a particular acl working here...

I'm using OpenLDAP 2.0.25 and FreeBSD 4.7.

Basically I want to restrict access to an attribute located in
ou=domain.com, ou=domains, dc=globalrelay, dc=net.
I'm trying to give connections that have bound as that record's
child entry read access.

Here's what I've set, it seems to constantly deny me when I've logged
in as uid=user, ou=domain.com, ou=domains, dc=globalrelay, dc=net:

access to dn.regex="^ou=([^,])+,ou=domains,dc=globalrelay,dc=net$"
        by dn="cn=admin,dc=globalrelay,dc=net" write
        by dn.regex="^.*,ou=$1,ou=domains,dc=globalrelay,dc=net$" read
        by * none

I've also tried out something similar to this:
        by dn.children="ou=$1,ou=domains,dc=globalrelay,dc=net" read
with a similar lack of success.

Here's a piece of the logs that pertain to the acl checking
for "privateAttribute":
slapd[39118]: => access_allowed: read access to
"ou=domain.com,ou=domains,dc=globalrelay,dc=net" "privateAttribute"
slapd[39118]: => dnpat: [1] ^ou=([^,])+,ou=domains,dc=globalrelay,dc=net$
nsub: 1
slapd[39118]: => acl_get: [1] matched
slapd[39118]: => acl_get: [1] check attr privateAttribute
slapd[39118]: <= acl_get: [1] acl
ou=domain.com,ou=domains,dc=globalrelay,dc=net attr: privateAttribute
slapd[39118]: => acl_mask: access to entry
"ou=domain.com,ou=domains,dc=globalrelay,dc=net", attr "privateAttribute"
slapd[39118]: => acl_mask: to all values by
slapd[39118]: <= check a_dn_pat: cn=admin,dc=globalrelay,dc=net
slapd[39118]: <= check a_dn_pat: ^.*,ou=$1,ou=domains,dc=globalrelay,dc=net$
slapd[39118]: <= check a_dn_pat: *
slapd[39118]: <= acl_mask: [3] applying none (=n) (stop)
slapd[39118]: <= acl_mask: [3] mask: none (=n)
slapd[39118]: => access_allowed: read access denied by none (=n)
slapd[39118]: acl: access to attribute privateAttribute not allowed

Am I missing something painfully obvious here?

Thanks for any help you could offer.