[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl problem



Bernhard D Rohrer wrote:

access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        by dn="uid=$1,ou=users,dc=graylion,dc=net" write
        by dn.regex="cn=admin,dc=graylion,dc=net" read
        by users none


This rule is bogus:

	by dn="uid=$1,ou=users,dc=graylion,dc=net" write

matches a DN exactly containing the literal "uid=$1,ou=users,dc=graylion,dc=net" (the default style has been "exact" for quite a long time);

	by dn.regex="cn=admin,dc=graylion,dc=net" read

uses a regex to match an exact value, which means that a DN __containing__ "cn=admin,dc=graylion,dc=net" (e.g.
"cn=admin,dc=graylion,dc=network") would match as well;


	by users none

is not necessary since anything not matching the previous "by" clauses will get the default privileges, i.e. "none" (actually, the default privileges should now be "disclose", so an explicit "by * none" could be necessary to strictly enforce "none").

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------