[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Filters in Access Contols
Hi,
does anyone have a glue why the following does not work:
I configured some access controls in the slapd.conf file:
access to dn="o=users,o=org"
by dn="cn=subscription,o=operators,o=org" write
access to filter="objectClass=device"
by dn="cn=device,o=operators,o=org" write
defaultaccess read
which should do the following:
The user "cn=subscription,o=operators,o=org" has full access rights for the
subtree o=users,o=org. This rule works fine!
The user "cn=device,o=operators,o=org" has full rights for entries from type
device, which could be spread anywhere in the tree with root "o=org"
When I start the LDAP Server with debug-level 128, it shows me the ACIs:
ACL: access to dn=O=USERS,O=ORG
by dn=CN=SUBSCRIPTION,O=OPERATORS,O=ORG
ACL: access to filter=(objectClass=device)
by dn=CN=DEVICE,O=OPERATORS,O=ORG
Afterwards, I try to load with the credentials of
CN=DEVICE,O=OPERATORS,O=ORG an object from type device. I get an
"insufficient -access" message returned and the server-debug-level shows me:
=> access_allowed: entry (o=devices,o=ORG) attr (children)
=> acl_get: entry (o=devices,o=ORG) attr (children)
<= acl_get: no match
=> acl_access_allowed: write access to entry "o=devices,o=ORG"
=> acl_access_allowed: write access to value "any" by
"CN=DEVICE,O=OPERATORS,O=ORG"
<= acl_access_allowed: denied by default (no matching to)
=> access_allowed: exit (o=devices,o=ORG) attr (children)
Apparently, slapd does not recognize the "to" part, which is really strange.
If I work with sub-tree, it will work, but I am not sure whether it will
always be in the same subtree.!
Does anyone have an idea what is going on?
Thanks
Reinhard Nappert
Unisphere Networks, Inc.
110 Iber Road
Goulbourn, Ontario
K2S 1E9 Canada
(613) 836-1014
Fax: (613) 836-1805