[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attrs=@objectClassName affects objectClass attribute

To: Howard Chu <hyc@symas.com>
Subject: Re: attrs=@objectClassName affects objectClass attribute
From: Nick Milas <nick@eurobjects.com>
Date: Wed, 06 Jun 2012 19:41:15 +0300
Cc: Jan-Piet Mens <jpmens.dns@gmail.com>, openldap-technical@openldap.org
In-reply-to: <4FCF78FE.1030605@symas.com>
References: <4FCF6BCB.7050807@eurobjects.com> <20120606151939.GA80965@jmbp.ww.mens.de> <4FCF78FE.1030605@symas.com>
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

On 6/6/2012 6:36 ÎÎ, Howard Chu wrote:

Don't inherit from top.


In my case, removing top ObjectClass from an entry does not change behavior.

Here is the entry, after removing top:

DN: uid=tester,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: schacContactLocation
objectClass: entryAccessEntities
cn: Tester
eduPersonAffiliation: staff
eduPersonOrgDN: dc=example,dc=com
eduPersonOrgUnitDN: ou=people,dc=example,dc=com
eduPersonPrimaryAffiliation: staff
eduPersonPrimaryOrgUnitDN: ou=people,dc=example,dc=com
eduPersonPrincipalName: tester@example.com
eduPersonScopedAffiliation: staff@example.com
employeeType: unl
givenName: Tester
mail: tester@example.com
o: example
ou: research
schacHomeOrganization: example.com
sn: Tester
title: Scientific Technical Staff
uid: tester
userPassword:: secret
writeAccessEntities: cn=Admins,ou=Groups,dc=example,dc=com

When I use:

{xx}to dn.subtree="ou=people,dc=example,dc=com"attrs=@entryAccessEntities bygroup/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com"read

*NOTE:* The DN should have write access to all other attrs, based onother ACLs


then:

# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D"uid=admin1,ou=people,dc=example,dc=com"

authcDN: "uid=admin1,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
...
objectClass=person: read(=rscxd)
objectClass=organizationalPerson: read(=rscxd)
objectClass=inetOrgPerson: read(=rscxd)
objectClass=eduPerson: read(=rscxd)
objectClass=schacContactLocation: read(=rscxd)
objectClass=entryAccessEntities: read(=rscxd)
...
writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)

but when:

{xx}to dn.subtree="ou=people,dc=example,dc=com"attrs=writeAccessEntities,readAccessEntities,searchAccessEntitiesbygroup/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com"read


then:

# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D"uid=admin1,ou=people,dc=example,dc=com"

authcDN: "uid=admin1,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
...
objectClass=person: write(=wrscxd)
objectClass=organizationalPerson: write(=wrscxd)
objectClass=inetOrgPerson: write(=wrscxd)
objectClass=eduPerson: write(=wrscxd)
objectClass=schacContactLocation: write(=wrscxd)
objectClass=entryAccessEntities: write(=wrscxd)
...
writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)

Please advise.

Thanks,
Nick

Follow-Ups:
- Re: attrs=@objectClassName affects objectClass attribute
  - From: Michael StrÃder <michael@stroeder.com>

References:
- attrs=@objectClassName affects objectClass attribute
  - From: Nick Milas <nick@eurobjects.com>
- Re: attrs=@objectClassName affects objectClass attribute
  - From: Jan-Piet Mens <jpmens.dns@gmail.com>
- Re: attrs=@objectClassName affects objectClass attribute
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Wildcard and Internal Domain
Next by Date: Re: attrs=@objectClassName affects objectClass attribute
Index(es):
- Chronological
- Thread