[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL rule problem

Hi *,

Banging my head on a ACL rule problem, using OL 2.1.22. I have consulted the Admin guide, the slapd.access man page and the FAQ (especially http://www.openldap.org/faq/data/cache/973.html). From looking at these sources and applying what they tell me my rule *should* work.

The ACL:

access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$"
by group/groupOfUniqueNames/ uniqueMember.regex="^ou=$2,ou=mail,dc=mycompany,dc=com$$" write
by * none

The outcome:

=> access_allowed: search access to "ou=mycompany.com,ou=mail,dc=mycompany,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> dnpat: [2] ^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$ nsub: 2
=> acl_get: [2] matched
=> acl_get: [2] check attr objectClass
<= acl_get: [2] acl ou=mycompany.com,ou=mail,dc=mycompany,dc=com attr: objectClass
=> acl_mask: access to entry "ou=mycompany.com,ou=mail,dc=mycompany,dc=com", attr "objectClass" requested
=> acl_mask: to value by "cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com", (=n)

I'm convinced this must be a replacement problem, but the debugging does not tell me what $2 evaluates to during processing. Can anyone see a flaw in the rule or knows how to debug access rules with even more detail?



Jens Vagelpohl			jens@zetwork.com
Zetwork GmbH				http://www.zetwork.com/