Re: access control

[Aaron Richton <richton@nbcs.rutgers.edu>]

Looks reasonable to me. The ACL you're hitting (by your own trial and
error admission) is:

> # access to information fields
> access to
>         dn.regex="^(.+)o=oil([^,]+)$"
>         attrs=@inetOrgPerson,cn
>         by self write
>         by group/groupOfUniqueNames/uniqueMember.expand="cn=Users Editors,ou=groups,o=oil$2" write
>         by users read

And your log says...

> Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access to "uid=dkirhlarov,ou=users,o=oilspace" "uid" requested

that an attempt to access attr=uid, which is "@inetOrgPerson" and thereby
covered by "# access to information fields",

> Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: to value by "", (=0)

by "", i.e. anonymous,

> Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: self
> Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: users

does not match "by self",
does not match "by group*",
and does not match "by users,"

> Jun 22 14:42:13 los02 slapd[4390]: <= acl_mask: no more <who> clauses, returning =0 (stop)
> Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access denied by =0

and there are no rules left, so the implicit "by * none" applies. And you
get all the access ("none") you deserve with the current binding.




If you want "anonymous" to do something, say so in the ACL clause. If you
want to be bound as somebody else, issue a BIND. Otherwise everything
looks good?