[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL contextCSN

To: Lirien Maxime <maxime.lirien@gmail.com>
Subject: Re: ACL contextCSN
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Thu, 25 Oct 2018 08:02:19 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CAFkMs3Ojw0tZ5vssiPV5hRpPqqQhKdApn_70uworx4m6Db3U0A@mail.gmail.com>
References: <CAFkMs3MDQkcUU3XZ8X5YuciGYNoV6=7tqDXpyGVNLZqY1JeCFA@mail.gmail.com> <69EF4EF0AE810A6845303AD7@192.168.1.39> <CAFkMs3Ojw0tZ5vssiPV5hRpPqqQhKdApn_70uworx4m6Db3U0A@mail.gmail.com>

--On Thursday, October 25, 2018 10:25 AM +0200 Lirien Maxime<maxime.lirien@gmail.com> wrote:

OK thanks Quanah !
 I removed the "*" on ACL except for the last rule.
I don't understand : it is rejected by the last rule. Why does it not
match rule #3 ? Normally it may stop at the first match ?

Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry
"dc=fr", attr "objectClass" requested


Hi Lirien,

It's clearly asking for access to the objectClass attribute in "dc=fr",which is not a part of your ACL#3, so it's correctly denied:


# 3) ********* CONTEXTCSN *********
access to dn.base="dc=fr" attrs=entry,children,contextcsn
   by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
   by dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read
   by * none

You need to modify the access to line to include objectClass.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- ACL contextCSN
  - From: Lirien Maxime <maxime.lirien@gmail.com>
- Re: ACL contextCSN
  - From: Lirien Maxime <maxime.lirien@gmail.com>

Prev by Date: Re: Upgrading from 2.4.26 to 2.4.41: Stricter checks prevent startup?
Next by Date: Re: ACL contextCSN
Index(es):
- Chronological
- Thread