[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap Group ACL



On 07/08/2009 22:36, Jittinan Suwanrueangsri wrote:
Hi all

I have tested acl of OpenLdap 2.4  by  using  following code  in
slapd.conf


access to dn.subtree="ou=System,dc=example,dc=com"
         by
group/groupOfUniqueNames/uniqueMember.regex="cn=[^,]+,ou=Groups,dc=example,dc=com"
write
         by users read


In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com
but from log message which is shown below a dn does not match pattern
cn=[^,]+,ou=Groups,dc=example,dc=com because it get read
permission.After that I change acl to

access to dn.subtree="ou=System,dc=example,dc=com"
         by
group/groupOfUniqueNames/uniqueMember.regex="cn=LdapAdmins,ou=Groups,dc=example,dc=com"
write
         by users read

It work correctly by get write permission

Because I use group/groupOfUniqueNames/uniqueMember.regex .It should
treat "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular expression
pattern but seem that it just exact pattern.Why? Who can explain?

According to slapd.access(5), regex expansion is not supported for the group clause in ACLs.

Only submatch replacement is possible.

To implement this access policy, you may want to check out sets. See
http://www.openldap.org/faq/data/cache/1133.html

Regards,
Jonathan

Log level 128

=> access_allowed: read access to
"uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> slap_access_allowed: result not in cache (objectClass)
=> acl_mask: access to entry
"uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0)
<= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com
/=> acl_string_expand: pattern:  cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com/
<= check a_dn_pat: users
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)



--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------