[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with acl and wildcard

To: <francois.beretti@enatel.com>
Subject: Re: problem with acl and wildcard
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 23 Mar 2004 15:31:16 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <405EA450.10201@enatel.com>
References: <405EA450.10201@enatel.com>

> Hello all
>
> I have a problem writing acl
>
> I want all the users to have write access to entries implementing any
> objectclass prefixed by a given string
>
>
> So I wrote these acls :
>
> access to *
>     by self write
>     by anonymous auth
>
> access to filter="(objectClass=prefix*)"
>     by users write

the objectClass attributeType does not support substring match.
Note that this should not be viewed as a limitation or poor design of the
objectClass attributeType, because filtering objectClasses that way would
be inherently flawed.  If you want to do something like that in a
consistent manner, you need to derive your objectClasses from a common
ancestor, and filter by that common ancestor, i.e. the objectClass'
superior.

p.

>
>
> and I can't access the data, while doing a ldapsearch as an
> authenticated user ("uid=me,ou=utilisateurs,dc=company,dc=local")
> in the access-level logs I get the following, on an entry that
> implements a prefixXXX objectClass :
> ----------------------------------------------------------
> => access_allowed: search access to
> "uid=toto,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
> => acl_get: [1] check attr objectClass
> <= acl_get: [1] acl uid=toto,ou=utilisateurs,dc=company,dc=local attr:
> objectClass
> => acl_mask: access to entry
> "uid=toto,ou=utilisateurs,dc=company,dc=local", attr "objectClass"
> requested => acl_mask: to all values by
> "uid=me,ou=utilisateurs,dc=company,dc=local", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: anonymous
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: search access denied by =n
> ----------------------------------------------------------
>
> but according to the second acl, I should be granted a write access on
> "uid=toto,ou=utilisateurs,dc=company,dc=local", so I should be able to
> search the objectClass attribute...
>
> what is the problem ?
>
> my config:
> fedora core 1
> openldap-2.1.22
>
> François


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- problem with acl and wildcard
  - From: François Beretti <francois.beretti@enatel.com>

Prev by Date: Re: problem with acl and wildcard
Next by Date: sasl DIGEST-MD5 on active directory
Index(es):
- Chronological
- Thread