[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd question with GSSAPI



"Derek T. Yarnell" <derek@cs.umd.edu> writes:

> On Fri, Aug 27, 2004 at 09:50:10AM +0200, Dieter Kluenter wrote:


> I am trying to to allow my gssapi auth'd users write to a few of their
> own attributes.  
>
> access to dn="uid=(.*),ou=.*,dc=csic,dc=umd,dc=edu" attr=cn,givenName,sn,mailRoutingAddress,loginShell,gecos
>         by dn="uid=$1@csic.umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth" write
>         by self write
>         by * read
>
> But getting, in the slapd -d 128 log,
>
> => access_allowed: write access to
> "uid=testing,ou=people,dc=csic,dc=umd,dc=edu" "cn" requested
> => dn: [1] uid=testing,ou=.*,dc=csic,dc=umd,dc=edu
> => acl_get: [2] attr cn
> access_allowed: no res from state (cn)
> => acl_mask: access to entry
> "uid=testing,ou=people,dc=csic,dc=umd,dc=edu", attr "cn" requested
> => acl_mask: to all values by
> "uid=testing@csic.umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth", (=n) 
> <= check a_dn_pat: uid=derek@cs.umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth
> <= check a_dn_pat: *
> <= acl_mask: [2] applying read(=rscx) (stop)
> <= acl_mask: [2] mask: read(=rscx)
> => access_allowed: write access denied by read(=rscx)
>
> Am I missing something here?

You should check the sequence of your access rules and probably change
it. It seems that slapd never reaches the apropriate rule when
parsing.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.avci.de
GPG Key ID:8C183C8622115328