[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap Group ACL

On 07/08/2009 22:36, Jittinan Suwanrueangsri wrote:
Hi all

I have tested acl of OpenLdap 2.4  by  using  following code  in

access to dn.subtree="ou=System,dc=example,dc=com"
         by users read

In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com
but from log message which is shown below a dn does not match pattern
cn=[^,]+,ou=Groups,dc=example,dc=com because it get read
permission.After that I change acl to

access to dn.subtree="ou=System,dc=example,dc=com"
         by users read

It work correctly by get write permission

Because I use group/groupOfUniqueNames/uniqueMember.regex .It should
treat "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular expression
pattern but seem that it just exact pattern.Why? Who can explain?

According to slapd.access(5), regex expansion is not supported for the group clause in ACLs.

Only submatch replacement is possible.

To implement this access policy, you may want to check out sets. See


Log level 128

=> access_allowed: read access to
"uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> slap_access_allowed: result not in cache (objectClass)
=> acl_mask: access to entry
"uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0)
<= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com
/=> acl_string_expand: pattern:  cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com/
<= check a_dn_pat: users
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)

Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org