[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3780) val.regex with attributes doesn't honor searches

To: openldap-its@OpenLDAP.org
Subject: (ITS#3780) val.regex with attributes doesn't honor searches
From: quanah@stanford.edu
Date: Wed, 15 Jun 2005 22:06:55 GMT

Full_Name: Quanah Gibson-Mount
Version: 2.2.26
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.19.82)


I have the following ACL:

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup
val.regex="^itss-smarts:.+"
    by dn.base="cn=smarts,cn=service,cn=applications,dc=stanford,dc=edu"
sasl_ssf=56 read
    by * break


which gives access to read (and lesser privs) for the suPrivilegeGroup attribute
when the value starts with itss-smarts.

I also have:

access to dn.children="cn=people,dc=stanford,dc=edu"
filter=(suprivilegegroup=itss-smarts:*) attrs=uid
    by dn.base="cn=smarts,cn=service,cn=applications,dc=stanford,dc=edu"
sasl_ssf=56 read
    by * break


so that principal can get UID for any entry that has itss-smarts:* for a value
of suprivilegegroup.

However, I find that I'm unable to search like this:

ldapsearch -h ldap9 -b"dc=stanford,dc=edu" "(suprivilegegroup=itss-smarts:*)"

which according to the ACL rules is a valid search, since the principal has READ
on suprivilegegroup where the values start with itss-smarts:

--Quanah

Prev by Date: Re: (ITS#3727) impossible to slapadd a 10000 uniquemember group on solaris10 x86 (gcc)
Next by Date: (ITS#3781) back-config doesn't work with dynlist overlay
Index(es):
- Chronological
- Thread