[Date Prev][Date Next]
Re: Decyphering openldap ACL logs
At 08:27 PM 4/29/2004, firstname.lastname@example.org wrote:
>> >=> access_allowed: write access to "dc=cse,dc
>> >=com" "entry" requested
>What is the meaning of "=>" and "<=" ?
Generally, these refers to logging on input and output respectively.
>How did you find that? both log( and ) entries are similar!
By looking at surrounding log entries.
>> ><= acl_get:  acl dc=cse,dc=com attr: entry
>> >=> acl_mask: access to entry "dc=cse,dc=com", attr "entry"
>> >=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)
>> ><= check a_dn_pat: cn=admin,dc=com
>> ><= check a_dn_pat: *
>What is the meaning of acl_get, acl_mask, a_dn_pat?
acl_get and acl_mask, as used above, are function names.
a_dn_pat is a field name, the field that holds the DN pattern.
>> This is from the first clause of the second access statement.
>> It doesn't match.
>> ><= acl_mask:  applying read(=rscx) (stop)
>> ><= acl_mask:  mask: read(=rscx)
>> Here it's saying that the third clause of (second) access access
>> statement applied.
>What is the meaning of "applying read(=rscx) (stop)" and "mask: read(=rscx)" ?
Means that the clause is being applied and the resultant
access level is read.
>> >=> access_allowed: write access denied by read(=rscx)
>> This says that write access to entry was denied as subject
>> (uid=mailadmin,dc=com) was only authorized to read.
>Ok. My ldif file is given below, I am wondering why the aci entries were not applied.
I'll leave commenting on ACIs to others more familiar with them.
I've yet to find a reason to use them myself.