[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL rule problem



Hi *,

Banging my head on a ACL rule problem, using OL 2.1.22. I have consulted the Admin guide, the slapd.access man page and the FAQ (especially http://www.openldap.org/faq/data/cache/973.html). From looking at these sources and applying what they tell me my rule *should* work.

The ACL:

--------------------------
access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$"
by group/groupOfUniqueNames/ uniqueMember.regex="^ou=$2,ou=mail,dc=mycompany,dc=com$$" write
by * none
--------------------------



The outcome:

----------------
=> access_allowed: search access to "ou=mycompany.com,ou=mail,dc=mycompany,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> dnpat: [2] ^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$ nsub: 2
=> acl_get: [2] matched
=> acl_get: [2] check attr objectClass
<= acl_get: [2] acl ou=mycompany.com,ou=mail,dc=mycompany,dc=com attr: objectClass
=> acl_mask: access to entry "ou=mycompany.com,ou=mail,dc=mycompany,dc=com", attr "objectClass" requested
=> acl_mask: to value by "cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com", (=n)
-----------------


I'm convinced this must be a replacement problem, but the debugging does not tell me what $2 evaluates to during processing. Can anyone see a flaw in the rule or knows how to debug access rules with even more detail?

Thanks!

jens

---------------
Jens Vagelpohl			jens@zetwork.com
Zetwork GmbH				http://www.zetwork.com/