[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap Group ACL



Hi all

I have tested acl of OpenLdap 2.4  by  using  following code  in  slapd.conf


access to dn.subtree="ou=System,dc=example,dc=com"
        by group/groupOfUniqueNames/uniqueMember.regex="cn=[^,]+,ou=Groups,dc=example,dc=com" write
        by users read


In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com but from log message which is shown below a dn does not match 
pattern cn=[^,]+,ou=Groups,dc=example,dc=com because it get read permission.After that I change acl to

access to dn.subtree="ou=System,dc=example,dc=com"
        by group/groupOfUniqueNames/uniqueMember.regex="cn=LdapAdmins,ou=Groups,dc=example,dc=com" write
        by users read


It work correctly by get write permission

Because I use group/groupOfUniqueNames/uniqueMember.regex .It should treat  "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular _expression_ pattern but seem that it just exact pattern.Why? Who can explain?

Log level 128

=> access_allowed: read access to "uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> slap_access_allowed: result not in cache (objectClass)
=> acl_mask: access to entry "uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0)
<= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: pattern:  cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com

<= check a_dn_pat: users
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)