[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: set ACL specification/syntax

To: Andrew Cobaugh <phalenor@gmail.com>
Subject: Re: set ACL specification/syntax
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 06 Mar 2009 13:30:10 -0800
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <1b8d56200903061310xb47ac1cl6ebce3d13f4e9d5f@mail.gmail.com>
References: <1b8d56200903061246m421168b7ldd43daeee68538e8@mail.gmail.com> <468FA7BC840673FD209B06CC@192.168.1.199> <1b8d56200903061304q6675db68p25a977331fe5ef29@mail.gmail.com> <1b8d56200903061310xb47ac1cl6ebce3d13f4e9d5f@mail.gmail.com>

--On Friday, March 06, 2009 4:10 PM -0500 Andrew Cobaugh <phalenor@gmail.com> wrote:

Weird, this isn't matching:

access to dn.children="ou=group,dc=mydoman"
    by set="this/cn & user/uid" write

Instead, it's falling through to the "by * read" entry at the top of the
tree.

It doesn't even look like it's trying to match against that ACL, actually.

As documented, ACLs are evaluated in the order they are hit. So if you have a by * read at the top of your ACLs, then of course nothing after that will be evaluated.

I suggest you closely read slapd-access(5).

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- set ACL specification/syntax
  - From: Andrew Cobaugh <phalenor@gmail.com>

Prev by Date: Re: set ACL specification/syntax
Next by Date: Re: set ACL specification/syntax
Index(es):
- Chronological
- Thread