[Date Prev][Date Next] [Chronological] [Thread] [Top]

attrs=@objectClassName affects objectClass attribute

To: openldap-technical <openldap-technical@openldap.org>
Subject: attrs=@objectClassName affects objectClass attribute
From: Nick Milas <nick@eurobjects.com>
Date: Wed, 06 Jun 2012 17:40:11 +0300
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

I am facing the following problem (with v2.4.31 on CentOS 5.8).

I am using a - recently added - custom schema with one AUX objectclassand 3 optional attrs; I am trying to use an ACL of the form:

access to dn.subtree="ou=people,dc=example,dc=com"attrs=@entryAccessEntitiesbygroup/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read

but strangely this ALSO changes the privileges for the objectClassattribute of the entry!


If I list the attrs of that object class instead, there is no problem:

access to dn.subtree="ou=people,dc=example,dc=com"attrs=writeAccessEntities,readAccessEntities,searchAccessEntitiesbygroup/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read

Now, the ACL works correctly, and it does not affect the entryobjectClass attribute.

Surprisingly, this does not happen with other object classes. If I use,for example:


access to dn.subtree="ou=people,dc=example,dc=com" attrs=@eduPerson

bygroup/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read

then, it correctly assigns privileges to only the attrs of eduPersonobject class (also an AUX class with only optional attrs), withoutaffecting the entry objectclass attribute.


Does anyone have an idea what is happening? Am I doing anything wrong?

Any help will be appreciated.

For reference I include the schema below.

Note: I am using dynamic config, but I have listed schema and ACLs intheir "standard" form, for better readability.


Thanks,
Nick

=====================================================
entryaccess.schema
=====================================================

attributetype ( 1.3.6.1.4.1.39349.4.1.11
   NAME 'writeAccessEntities'

DESC 'DNs of Groups which should be allowed write (full) access tothis entry'

   SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.39349.4.1.12
   NAME 'readAccessEntities'

DESC 'DNs of Groups which should be allowed read (read-only) accessto this entry'

   SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.39349.4.1.13
   NAME 'searchAccessEntities'

DESC 'DNs of Groups which should be allowed search (search-only)access to this entry'

   SUP distinguishedName )

objectclass ( 1.3.6.1.4.1.39349.4.2.101
   NAME 'entryAccessEntities'

DESC 'Allow access to the entry, to which this class is added, tothe entities specified as the values (DNs) of this class attributes'

   SUP top AUXILIARY

MAY ( writeAccessEntities $ readAccessEntities $searchAccessEntities ) )


=====================================================

Follow-Ups:
- Re: attrs=@objectClassName affects objectClass attribute
  - From: Jan-Piet Mens <jpmens.dns@gmail.com>

Prev by Date: Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)
Next by Date: Wildcard and Internal Domain
Index(es):
- Chronological
- Thread