[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL rule problem
> Hi *,
>
> Banging my head on a ACL rule problem, using OL 2.1.22. I have
> consulted the Admin guide, the slapd.access man page and the FAQ
> (especially http://www.openldap.org/faq/data/cache/973.html). From
> looking at these sources and applying what they tell me my rule
> *should* work.
>
> The ACL:
>
> --------------------------
> access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$"
> by
> group/groupOfUniqueNames/
> uniqueMember.regex="^ou=$2,ou=mail,dc=mycompany,dc=com$$" write
> by * none
> --------------------------
>
>
> The outcome:
>
> ----------------
> => access_allowed: search access to
> "ou=mycompany.com,ou=mail,dc=mycompany,dc=com" "objectClass" requested
> => acl_get: [1] check attr objectClass
> => dnpat: [2] ^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$ nsub: 2
> => acl_get: [2] matched
> => acl_get: [2] check attr objectClass
> <= acl_get: [2] acl ou=mycompany.com,ou=mail,dc=mycompany,dc=com attr:
> objectClass
> => acl_mask: access to entry
> "ou=mycompany.com,ou=mail,dc=mycompany,dc=com", attr "objectClass"
> requested
> => acl_mask: to value by
> "cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com",
> (=n)
> -----------------
>
> I'm convinced this must be a replacement problem, but the debugging
> does not tell me what $2 evaluates to during processing. Can anyone see
> a flaw in the rule or knows how to debug access rules with even more
> detail?
At a first glance (as far as I remember about 2.1 ACLs) he rule looks
fine; the point is: does an entry
"ou=mycompany.com,ou=mail,dc=mycompany,dc=com" exist, is it an objectClass
groupOfUniqueNames, does it have a uniqueMember attribute with value
"cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com" ?
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497