[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL problem

I have, on the advise of Kurt Zeilenga, tried to define an object class in order to set an ACL on a list of 30 or so attributes in a concise way.

The objectclass is defined like this

objectclass     ( BathObjectClass:8 NAME 'BathDOEPerson'
   DESC 'Used in slapd.conf to set ACL for bathdoe attributes'
   MAY ( bathdoeexpertise $ bathdoeprofbodies $
         bathdoegrants $ bathdoekeyword $ bathdoepublications $
         bathdoepublicationsurl $ bathdoequalifications $
         bathdoeeducation $ bathdoeproqualifications $
         bathdoecareer $ bathdoesabbaticalleave $
         bathdoeprizes $ bathdoeexternalbodies $
         bathdoeteachingactivities $ bathdoeadministration $
         bathdoeexternalactivities $ bathdoeexhibitions $
         bathdoeprofessionalpractice $ bathdoeconsultancies $
         bathdoeresearchinterests $ bathdoepatents $
         bathdoecommerciallinks $ bathdoeresearchstudents $
         bathdoeexternalexaminer $ bathdoeconferencetalks $
         bathdoeconferencechairing $ bathdoeseminars $
         bathdoefurtherinformation $ bathdoeoptions $
         bathdoestatus )

My entire ACL list looks like this

access to attr=userPassword
      by self write
      by anonymous auth
      by dn.base="cn=directory manager,o=bath.ac.uk" write
      by * none
access to attr=@bathdoeperson
      by self write
      by dn.base="cn=directory manager,o=bath.ac.uk" write
      by * none
access to *
      by dn.base="cn=directory manager,o=bath.ac.uk" write
      by * read

This does work for the bathdoe attributes. However it seems to have unexpected consequences for the objectclass attribute type.

An anonymous user can not see or query using the objectclass for the persons or organisationalroles. An authenticated user can see the objectclasses associated with their own person entry but not their own organizationalroles, and they can not see objectclasses for other users.

If I remove the middle ACL (@bathdoeperson) there are no restrictions on objectclass or bathdoe attribute types (as expected).

An explanation would be much appreciated and no doubt would add to my understanding of ACLs

Paul Christie Bath University Computing Services