[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL group.regex in 2.1.22

Dear all,

Again, those ACL bit me in places I don't want to be bitten :-(

I have the following ACL:

access to 
	by dn.regex="qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qwido" write
	by dn.regex="^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido" read
	by group="^qGroup=$1,qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido" 
	by dn.regex="qRole=123,qApp=qwido" read
	by * none

I know, it's complicated to read, but just note that the 3rd 'by' clause is 

Now, in my log files, I see:

<= acl_get: [8] acl qService=ftp,qDomain=suares.com,qRole=domain,qIsp=
isp001,qRole=isp,qApp=qwido attr: objectClass
=> acl_mask: access to entry "qService=ftp,qDomain=suares.com,qRole=do
main,qIsp=isp001,qRole=isp,qApp=qwido", attr "objectClass" requested
=> acl_mask: to all values by "qManager=man001,qRole=manager,qDomain=s
uares.com,qRole=domain,qIsp=isp001,qRole=isp,qApp=qwido", (=n)
<= check a_dn_pat: qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qw
<= check a_dn_pat: ^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwi
<= check a_dn_pat: qRole=123,qApp=qwido
<= check a_dn_pat: *
<= acl_mask: [5] applying none(=n) (stop)
<= acl_mask: [5] mask: none(=n)
=> access_allowed: search access denied by none(=n)

Again, difficult top read, but note that the 'by group' doesn't show up whule 
all the others (by dn.regex, and *) do.

What's the reason for this? Do I need top upgrade ? Dit I oversee someting 
very simple !?

Any help would be appreciated. 

PS 'by group' defaults to 'by group.regex', doesn't it ?
I read http://www.openldap.org/faq/index.cgi?file=52 and it seems that what I 
am doing is the same as describe in the faq.


Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl