[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACI - cannot see any mistakes

To: openldap-software@OpenLDAP.org
Subject: ACI - cannot see any mistakes
From: Armin Wenz <awenz@mtgnet.de>
Date: Mon, 17 Jun 2002 08:46:12 +0200
Organization: media transfer GmbH
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020529

I have a DIT like
c=de
- o=Demo
  - ou=user
  - ou=company
I want to deny anonymous access to the ou=user branch.

My ACL is:
access to dn=".*, ou=user, o=Demo, c=DE"
  by dn="cn=user1, ou=user, o=Demo, c=DE" write
  by anonymous auth
  by * none
access to dn=".*,c=DE"
  by dn="cn=user1, ou=user, o=Demo, c=DE" write
  by * read

When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE" I still got all entries under that branch.

In the log I read:
access_allowed: search access to "ou=user,o=MailPass Demo, c=DE"
                "objectClass" requested
dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0
dnpat: [2] .*,c=DE nsub: 0
acl_get: [2] matched

In my opinion ACL1 should match.

What have I misunderstood or done wrong?

--

Armin Wenz

Follow-Ups:
- RE: ACI - cannot see any mistakes
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: ACI - cannot see any mistakes
  - From: "Pierangelo Masarati" <masarati@aero.polimi.it>
- Re: ACI - cannot see any mistakes (typo)
  - From: Armin Wenz <awenz@mtgnet.de>

Prev by Date: Re: cannot insert records larger than 128k (precisely 139055 bytes) ?
Next by Date: RE: ACI - cannot see any mistakes
Index(es):
- Chronological
- Thread