[Date Prev][Date Next] [Chronological] [Thread] [Top]

Upgrading ACLs

To: openldap-software@OpenLDAP.org
Subject: Upgrading ACLs
From: Jeffrey Froman <openldap.tcijf@olympus.net>
Date: Fri, 7 Oct 2005 17:29:57 -0700
Content-disposition: inline
Organization: Townsend Communications, Inc.
User-agent: KMail/1.8.2

I am upgrading from openldap-2.1.22 to openldap-2.2.23, and I am having some 
difficulty getting the ACLs to a state that the new version is happy with. 
Can anyone describe (or point me to a document that describes) the ACL syntax 
differences between these versions? My searches have so far have produced 
only fragmentary results.

What I've learned so far: I found I needed to change "access to dn=" to 
"access to dn.regex=" when the dn contained any regular expression syntax. 
After making this change, slapd starts without complaint, but it appears that 
my "by group=" access rules are not being used, if I am interpreting the 
slapd logging output correctly.

I also changed "attr=" to "attrs=" for each ACL.

Other possibly relevant information: Some of the group identifiers contain 
references to a match group in dn.regex, such as:

    access to dn.regex="dc=([^,]+),o=([^,]+)"
	by group="cn=admin,ou=sys,o=$2"

As you can probably tell, I'm groping in the dark a bit. Any direction is 
appreciated.


Thank you,
Jeffrey

Follow-Ups:
- Re: Upgrading ACLs
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Logging in without full DN
Next by Date: Re: Problem SunOS5.7 + openldap-2.0.27
Index(es):
- Chronological
- Thread