[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL access clause parsing

It would appear that the ACL access clause parsing has changed between
OpenLDAP 2.0 and 2.1.

This ACL worked in 2.0:

access to attrs=carLicense
    by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
    by self write
    by * none

In 2.1 (at least 2.1.27 and 2.1.29), if the authenticated DN is a member
of the Readers group, and they are attempting to modify their
carLicense, they will fail with "Insufficient access (50)".

However, if I reorder the ACL to:

access to attrs=carLicense
   by self write
   by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
   by * none

Then the modification of my own entry works even if I'm a member of the
Readers group.

Was this change intentional and I missed it somewhere in the
documentation (which includes the slapd.access manpage for 2.1.29) or is
it an error and I should file an ITS?

Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
        === God bless all inhabitants of your planet ===