[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access 'sets'

Boris Stobbe wrote:

Hash: SHA1


I'm trying to implement an ACL based on sets, but it doesn't work. I
defined the ACL as:
access to dn.children="ou=Jobs,ou=PyKota,o=test"
~~        by dn="cn=pykota,ou=Admin,o=test" write
~~        by set="user/uid & this/pykotaUserName" read
~~        by * search

If I search for an object (the object hast pykotaUserName=testuser) with
'ldapsearch -x -D uid=testuser,ou=People,o=test -W pykotaUserName=testuser'
, I get the following debug output on the server:

=> dn: [26] ou=jobs,ou=pykota,o=test
=> acl_get: [26] matched
=> acl_get: [26] attr entry
=> acl_mask: access to entry "cn=123,ou=Jobs,ou=PyKota,o=test", attr
"entry" requested
=> acl_mask: to all values by "uid=testuser,ou=people,o=test", (=n)
<= check a_dn_pat: cn=pykota,ou=admin,o=test
<= check a_dn_pat: *
<= acl_mask: [3] applying search(=scx) (stop)
<= acl_mask: [3] mask: search(=scx)
=> access_allowed: read access denied by search(=scx)

It seem like the server doesn't recognize the set-rule, because the server
only tries 'check a_dn_pat: cn=pykota,ou=admin,o=test' and 'check a_dn_pat: *'

No, it doesn't shouw up because there's no corresponding logging for the set rule; I'll fix this in a moment. I suspect this should be backported to 2.2; please file an ITS <http://www.openldap.org/its/>.

I'm using openLDAP 2.2.13-2 running on a RHEL 4 server

Sets (and your specific rule) seem to work as expected in the latest 2.2 (and in 2.3, of course); I note that in 2.2's CHANGES:

OpenLDAP 2.2.16 Release
       Fixed slapd ACL sets bug (ITS#3140)

In any case, current stable is 2.2.26, so I suspect you'd better upgrade.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497