[Date Prev][Date Next]
problem with set ACL
I have a problem with the set keyword in ACL.
Here is the setup. My directory has objects in two classes:
persons and addresses
A person look like this:
An address look like this:
Now I want to give a user the right to modify the netExampleEnable
attribute for an address if his rfc822Mailbox matches the netExampleMail
of the address.
After banging my head on the documentation for one day, I came to the
conclusion that I had to use the set keyword. Here is what I tried:
access to dn.regex="netExampleMail=([^,]+),dc=example,dc=net"
by * read
The access is always granted, whatever address entry an user attempt to
Worse: the URI dereferencing is ignored: replacing the LDAP host by an IP
address that has no LDAP service cause no error. Running tcpdump shows
that no attempt was made to connect to the LDAP service.
Here is the log output:
=> acl_mask: access to entry "netExampleMail=Random.User@example.net,dc=example,dc=net", attr "netExampleEnable" requested
=> acl_mask: to all values by "cn=jdoe,ou=sales,dc=example,dc=net", (=0)
<= check a_set_pat: [ldap://example.net/dc=example,dc=net?dn?sub?rfc822mailbox=$1]
<= acl_mask:  applying write(=wrscxd) (stop)
<= acl_mask:  mask: write(=wrscxd)
=> access_allowed: delete access granted by write(=wrscxd)