Hi all I have tested acl of OpenLdap 2.4 by using following code in slapd.conf access to dn.subtree="ou=System,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember.regex="cn=[^,]+,ou=Groups,dc=example,dc=com" write by users read In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com but from log message which is shown below a dn does not match pattern cn=[^,]+,ou=Groups,dc=example,dc=com because it get read permission.After that I change acl to access to dn.subtree="ou=System,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember.regex="cn=LdapAdmins,ou=Groups,dc=example,dc=com" write by users read It work correctly by get write permission Because I use group/groupOfUniqueNames/uniqueMember.regex .It should treat "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular _expression_ pattern but seem that it just exact pattern.Why? Who can explain? Log level 128 => access_allowed: read access to "uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested => dn: [2] ou=system,dc=example,dc=com => acl_get: [2] matched => acl_get: [2] attr objectClass => slap_access_allowed: result not in cache (objectClass) => acl_mask: access to entry "uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested => acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0) <= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com => acl_string_expand: pattern: cn=[^,]+,ou=Groups,dc=example,dc=com => acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com <= check a_dn_pat: users <= acl_mask: [2] applying read(=rscxd) (stop) <= acl_mask: [2] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) |