[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Changes in ACI between 2.1.29 and 2.2.11
- To: openldap-software@OpenLDAP.org
- Subject: Changes in ACI between 2.1.29 and 2.2.11
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 27 Jun 2004 13:59:17 +0200
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
What's changed? I can't get the values that I'm supposed to get
(I'm missing a lot of the values - only get ONE line instead of
15!) ...
----- s n i p -----
CHROOT/Woody-devel# ldapsearch -LLL -h localhost -b 'c=SE' uid=turbo openldapaci
SASL/GSSAPI authentication started
SASL username: turbo@SWE.NET
SASL SSF: 56
SASL installing layers
dn: uid=turbo,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
CHROOT/Woody-devel# ldapwhoami -h localhost
SASL/GSSAPI authentication started
SASL username: turbo@SWE.NET
SASL SSF: 56
SASL installing layers
dn:uid=turbo,ou=people,o=swe.net ab,c=se
----- s n i p -----
The database is loaded with the following ACI's for this object, and this
is what I get if I replace the ACL's to 'access to * by * write' instead.
----- s n i p -----
dn: uid=turbo,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;x;userPassword,krb5PrincipalName#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,homePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mailMessageStore,o,l,st,telephoneNumber,postalCode,title#users#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,homePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mailMessageStore,o,l,st,telephoneNumber,postalCode,title#self#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=turbo,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=malin,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=ma,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=turbo,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=malin,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=ma,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=turbo,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=malin,ou=People,o=Swe.Net AB,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=ma,ou=People,o=Swe.Net AB,c=SE
----- s n i p -----
Running slapd with '-d 128' shows this:
----- s n i p -----
=> access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE" "OpenLDAPaci" requested
=> dn: [1]
=> dn: [2]
=> dn: [3] cn=monitor
=> dn: [4] cn=monitor
=> dn: [5] cn=subschema
=> dn: [6] uid=.*
=> acl_get: [8] attr OpenLDAPaci
access_allowed: no res from state (OpenLDAPaci)
=> acl_mask: access to entry "uid=turbo,ou=People,o=Swe.Net AB,c=SE", attr "OpenLDAPaci" requested
=> acl_mask: to value by "uid=turbo,ou=people,o=swe.net ab,c=se", (=n)
<= aci_mask grant =wrscx deny =n
<= acl_mask: [15] applying +wrscx (stop)
<= acl_mask: [15] mask: =wrscx
=> access_allowed: read access granted by =wrscx
=> access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE" "OpenLDAPaci" requested
<= acl_get: done.
=> access_allowed: no more rules
acl: access to attribute OpenLDAPaci, value 1 not allowed
=> access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE" "OpenLDAPaci" requested
<= acl_get: done.
=> access_allowed: no more rules
acl: access to attribute OpenLDAPaci, value 2 not allowed
[etc for the other lines up to 'value 14 not allowed']
----- s n i p -----
Since it won't continue on to 'value 1' and beyound, is the 'familyOID'
finaly implemented (correctly)? Would it help to number the ACI's?
Why does it say 'no more rules' (there should be 14 more rules!)?
The ACL's look like this (just for the record :)
----- s n i p -----
access to dn.base="" attrs=supportedSASLMechanisms,namingContexts,subschemaSubentry,objectClass,entry
by * read
access to * by aci write
----- s n i p -----