[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.access dn.regex sasl

To: "Dennis Matotek" <dennis@utiba.com>
Subject: Re: slapd.access dn.regex sasl
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 6 May 2005 14:19:06 +0200 (CEST)
Cc: "openldap-list" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1115363220.20450.18.camel@blackops.cpc.net.au>
References: <1115343989.22874.44.camel@blackops.cpc.net.au> <427B0EC9.3090401@sys-net.it> <1115363220.20450.18.camel@blackops.cpc.net.au>
User-agent: SquirrelMail/1.4.3a-1

In this case, I think you should rather read slapd.conf(5) man page, and
the Admin Guide; the statement below


> access to dn.regex=".*$"
> #access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
> attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
>         by self write
>         by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
>         by dn.exact,expand="uid=admin,ou=System,ou=People,dc=utiba" auth
>         by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
>         by group.expand="cn=Replicator,ou=Group,dc=utiba" write
>         by * auth

actually expands in:

<statement 1>
access to dn.regex=".*$"
</statement 1>

<statement 2>
#access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
        by self write
        by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
        by dn.exact,expand="uid=admin,ou=System,ou=People,dc=utiba" auth
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by * auth
</statement 2>

where statement 2 is a comment continued on multiple lines by the leading
spaces (I assume the "attrs=..." does not start in column 1, but got there
because the mailer wrapped a long line).

So statement 1 is an empty rule.  That's why you get that "no more <who>
clauses" besides the implicit "by * none":

>> >when it fails
>> >------------------------------------
>> >access_allowed: auth access to "uid=dennis,ou=Utiba,ou=People,dc=utiba"
>> >"uid" requested
>> >May  6 11:28:41 blackops slapd[30775]: => dn: [1]
>> >May  6 11:28:41 blackops slapd[30775]: => dn: [2] cn=subschema
>> >May  6 11:28:41 blackops slapd[30775]: => dnpat: [3] ^.+$ nsub: 0
>> >May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] matched
>> >May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] attr uid
>> >May  6 11:28:41 blackops slapd[30775]: => acl_mask: access to entry
>> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
>> >May  6 11:28:41 blackops slapd[30775]: => acl_mask: to value by "",
>> (=n)
>> >May  6 11:28:41 blackops slapd[30775]: <= acl_mask: no more <who>
>> >clauses, returning =n (stop)

The rationale is that you cannot embed a comment inside a statement.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- slapd.access dn.regex sasl
  - From: Dennis Matotek <dennis@utiba.com>
- Re: slapd.access dn.regex sasl
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: slapd.access dn.regex sasl
  - From: Dennis Matotek <dennis@utiba.com>

Prev by Date: Re: successor of ldap_perror()?
Next by Date: RE: ldapsearch command help
Index(es):
- Chronological
- Thread