[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Openldap 2.0.25 acl not working for me
Hello,
I'm trying to get a particular acl working here...
I'm using OpenLDAP 2.0.25 and FreeBSD 4.7.
Basically I want to restrict access to an attribute located in
ou=domain.com, ou=domains, dc=globalrelay, dc=net.
I'm trying to give connections that have bound as that record's
child entry read access.
Here's what I've set, it seems to constantly deny me when I've logged
in as uid=user, ou=domain.com, ou=domains, dc=globalrelay, dc=net:
access to dn.regex="^ou=([^,])+,ou=domains,dc=globalrelay,dc=net$"
attr=privateAttribute
by dn="cn=admin,dc=globalrelay,dc=net" write
by dn.regex="^.*,ou=$1,ou=domains,dc=globalrelay,dc=net$" read
by * none
I've also tried out something similar to this:
by dn.children="ou=$1,ou=domains,dc=globalrelay,dc=net" read
with a similar lack of success.
Here's a piece of the logs that pertain to the acl checking
for "privateAttribute":
===================================================
slapd[39118]: => access_allowed: read access to
"ou=domain.com,ou=domains,dc=globalrelay,dc=net" "privateAttribute"
requested
slapd[39118]: => dnpat: [1] ^ou=([^,])+,ou=domains,dc=globalrelay,dc=net$
nsub: 1
slapd[39118]: => acl_get: [1] matched
slapd[39118]: => acl_get: [1] check attr privateAttribute
slapd[39118]: <= acl_get: [1] acl
ou=domain.com,ou=domains,dc=globalrelay,dc=net attr: privateAttribute
slapd[39118]: => acl_mask: access to entry
"ou=domain.com,ou=domains,dc=globalrelay,dc=net", attr "privateAttribute"
requested
slapd[39118]: => acl_mask: to all values by
"UID=USER,OU=DOMAIN.COM,OU=DOMAINS,DC=GLOBALRELAY,DC=NET", (=n)
slapd[39118]: <= check a_dn_pat: cn=admin,dc=globalrelay,dc=net
slapd[39118]: <= check a_dn_pat: ^.*,ou=$1,ou=domains,dc=globalrelay,dc=net$
slapd[39118]: <= check a_dn_pat: *
slapd[39118]: <= acl_mask: [3] applying none (=n) (stop)
slapd[39118]: <= acl_mask: [3] mask: none (=n)
slapd[39118]: => access_allowed: read access denied by none (=n)
slapd[39118]: acl: access to attribute privateAttribute not allowed
===================================================
Am I missing something painfully obvious here?
Thanks for any help you could offer.
Thanks,
Eric