[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL order changes * by * read access (ITS#2068)
At 02:33 PM 2002-09-04, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.4
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.64.13.58)
You should make sure you have a working regex library...
(some versions of Solaris come with brain dead regex
libraries).
Our just rewrite all your ACLs to avoid regexes.
See slapd-access(5).
Kurt
>Hello,
>
>If I create an ACL file like this:
>
># ACL include file for slapd
>#
># this is specific to ldap4.stanford.edu for testing
>
>access to *
> by dn="cn=manager,dc=stanford,dc=edu" write
> by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
> by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
> by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
> by * read
>
>access to dn=".*,cn=People,dc=stanford,dc=edu"
> by dn="cn=SLOG-People,cn=Applications,dc=stanford,dc=edu" write
>
>access to dn=".*,cn=Accounts,dc=stanford,dc=edu"
> by dn="cn=SLOG-Accounts,cn=Applications,dc=stanford,dc=edu" write
>
>Access seems to work correctly. However, If I change the order thus:
>
># ACL include file for slapd
>#
># this is specific to ldap4.stanford.edu for testing
>
>access to dn=".*,cn=People,dc=stanford,dc=edu"
> by dn="cn=SLOG-People,cn=Applications,dc=stanford,dc=edu" write
>
>access to dn=".*,cn=Accounts,dc=stanford,dc=edu"
> by dn="cn=SLOG-Accounts,cn=Applications,dc=stanford,dc=edu" write
>
>access to *
> by dn="cn=manager,dc=stanford,dc=edu" write
> by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
> by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
> by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
> by * read
>
>
>When I do an ldapsearch, I see only the Accounts subtree. I would guess that
>something is incorrect in the way in which slapd parses the regexp for the first
>2 entries in the second example.