[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control - Variables - still not working

To: Pierangelo Masarati <masarati@aero.polimi.it>
Subject: Re: Access Control - Variables - still not working
From: Timo Boettcher <timo@gerichhausen.de>
Date: Mon, 27 Aug 2001 13:23:04 +0200
Cc: openldap-software@OpenLDAP.org
Organization: GAT
References: <3B8645D1.1C1C0DC9@gerichhausen.de> <3B865090.E4F849EC@aero.polimi.it>

Thanks for your help, but I still haven't any clue how to get the
Variable substituted with what was found for the regex pattern.

Pierangelo Masarati wrote:
> 
> You can use regex pattern substitution in the form:
> 
> access to dn=".*ou=([^,]+),o=myorganization"
>         by dn="cn=admin,ou=$1,o=myorganization" write
>         by * read
> 

one of my acl's is now:
access to dn=".*o=([^,]+),ou=customers,o=myorganisation"
        by dn="cn=*,ou=people,o=myorganisation" write
        by dn="cn=*,ou=people,o=$1,ou=customers,o=myorganisation" read

When I try to bind with an user of cn=test, o=specificcustomer,
ou=customers, o=myorganisation I get an error.
This is what the log shows:
slapd[19080]: daemon: conn=24 fd=15 connection from IP=127.0.0.1:3155
(IP=0.0.0.0:34049) accepted. 
slapd[19083]: conn=24 op=0 BIND dn="" method=128 
slapd[19083]: conn=24 op=0 RESULT tag=97 err=0 text= 
slapd[19084]: conn=24 op=1 SRCH base="ou=customers,o=myorganisation"
scope=1 filter="(o=specificcustomer)" 
slapd[19084]: => access_allowed: search access to "o=specificcustomer,
ou=customers, o=myorganisation" "o" requested 
[snip]
more acl's...
[snap]
slapd[19084]: => dnpat: [6] .*o=([^,]+),ou=customers,o=myorganisation
nsub: 1 
slapd[19084]: => acl_get: [6] matched 
slapd[19084]: => acl_get: [6] check attr o 
slapd[19084]: <= acl_get: [6] acl o=specificcustomer, ou=customers,
o=myorganisation attr: o 
slapd[19084]: => acl_mask: access to entry "o=specificcustomer,
ou=customers, o=myorganisation", attr "o" requested 
slapd[19084]: => acl_mask: to value by "", (=n)  
slapd[19084]: <= check a_dn_pat: cn=*,ou=people,o=myorganisation 
slapd[19084]: <= check a_dn_pat:
cn=*,ou=people,o=$1,ou=Kunden,o=myorganisation 

seems that the slapd takes the right acl, but doesn't substitute the
regex part so that there is no match for the <who> clause

slapd[19084]: <= acl_mask: no more <who> clauses, returning =n (stop) 
slapd[19084]: => access_allowed: search access denied by =n 
slapd[19084]: conn=24 op=1 SEARCH RESULT tag=101 err=0 text= 
slapd[19157]: conn=24 op=2 RESULT tag=101 err=34 text=invalid DN 

How can I get slapd to substitute the Variable?

Thanks for your help 
Timo Boettcher

References:
- Access Control - Variables
  - From: Timo <timo@gerichhausen.de>
- Re: Access Control - Variables
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Re: ldap_add: Object class violation
Next by Date: Re: ldapmodify versus ldapadd
Index(es):
- Chronological
- Thread