[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd and permissions

Jernej Kos wrote:

I am trying to get this working:

access to dn="ou=Domains,uid=(.*),ou=Drones,dc=unimatrix-one,dc=org"
       by dn="cn=root,dc=unimatrix-one,dc=org" write
       by dn="cn=borgd,dc=unimatrix-one,dc=org" write
       by dn="uid=$1,ou=Drones,dc=unimatrix-one,dc=org" write
       by * read

But it is just being ignored (users still don't have write permission). What is wrong ?

depending on the version of the code you're running, this can either be wrong
or right. In 2.1, this should be almost fine; in 2.2 it's definitely wrong, because
the default for DN match in <who> clauses has moved from "regex" to "exact",
and your third <who> clause doesn't do what you expect. This is very well
documented in the slapd.access(5) man page that accompanies the code in each
version (I wrote it myself, so I know it quite well) and it is a clear demonstration
that default should never be trusted (I think they'll be removed at some point).
It has also been mentioned many times on the mailing lists because it is a common
source of errors.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497