[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
more access control puzzlement
I've encountered a couple more puzzling things with access control. I'm
trying to control access by IP address and a portion of the hierarchy.
The rules I want are:
provide limited access (specific attributes, limited part of the
hierarchy) to a group of machines,
show everything to one particular host (within a limited part
of the hierarchy),
deny everything to everyone else.
then I need to repeat these rules multiple times each one limiting access
to a different part of the hierarchy. Last, I need a rule granting access
to a couple of machines for the entire hierarchy.
So reading between the lines, I put in multiple rules and they look like this:
access to dn="*,ou=gems,o=store" attrs=sn,entry
by addr="206.34.215.253" read
access to dn="*,ou=gems,o=store"
by domain="localhost" write
defaultaccess none
what seems to happen is that the first rule is used but the second one is
ignored. I've tried it different variants with different default access
values and I always seem to get the results specified by the first rule.
It never seems to drop to the second rule.
what am I missing? When I search for a specific attribute 'sn=bugs10', I
get the following line in the log (-d=128)
=> acl_access_allowed: search access to value "BUGS10" by ""
<= acl_access_allowed: denied by default (no matching by)
if I eliminate the defaultaccess none rule, all the other protections
vanish as I would expect.
--- eric
Eric S Johansson esj@inguide.com esj@harvee.billerica.ma.us
This message was composed almost entirely by NaturallySpeaking.