Re: Quick ACL help

[Ralf Haferkamp <rhafer@suse.de>]

On Thursday 30 March 2006 19:47, Fran Fabrizio wrote:
> I am having a bit of trouble getting an ACL set correctly and could
> use an extra set of eyes to look at this and help me debug what the
> problem is.  ACLs are not my strong point and I am in a jam with this
> today. Thanks.
>
> Here is the -d 128 debugging output from slapd...
>
> --------------
> => access_allowed: write access to
> "ou=addr,uid=fran,ou=People,dc=cis,dc=uab,dc=edu" "children"
> requested => dn: [2] dc=cis,dc=uab,dc=edu
                       ^^^^^^^^^^^^^^^^^^^^
> => acl_get: [2] matched
> => acl_get: [2] attr children
> => acl_mask: access to entry
> "ou=addr,uid=fran,ou=People,dc=cis,dc=uab,dc=edu", attr "children"
> requested => acl_mask: to all values by
> "uid=fran,ou=people,dc=cis,dc=uab,dc=edu", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: uid=oxadmin,ou=people,dc=cis,dc=uab,dc=edu
> <= check a_dn_pat: *
> <= acl_mask: [3] applying read(=rscx) (stop)
> <= acl_mask: [3] mask: read(=rscx)
> => access_allowed: write access denied by read(=rscx)
> ---------------
>
> ...and here are the ACL entries that should govern write access to
> this area of the LDAP hierarchy....
Hm, it seems that the ACL you pasted below are not evaluted because 
there is another ACL before them that already matches the query. 
(Likely something with "dn.subtree=dc=cis,dc=uab,dc=edu" or similar).

> ---------------
> access to
> dn.regex="^ou=addr,(uid=([^,]+),ou=people,dc=cis,dc=uab,dc=edu)$"
> attrs=children
>     by dn.exact,expand="$1" write
>     by dn="uid=oxadmin,ou=People,dc=cis,dc=uab,dc=edu" write
>
>
> access to
> dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=people,dc=cis,dc=uab,d
>c=edu)$" attrs=entry
>     by dn.exact,expand="$2" write
>     by dn="uid=oxadmin,ou=People,dc=cis,dc=uab,dc=edu" write
>
> access to *
>     by self write
>     by * read
> ----------------
>
> Can anyone see anything obvious as to why I am getting denied write
> access?

-- 
Ralf