[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACI - cannot see any mistakes
Armin Wenz writes:
I have a DIT like
c=de
- o=Demo
- ou=user
- ou=company
I want to deny anonymous access to the ou=user branch.
My ACL is:
access to dn=".*, ou=user, o=Demo, c=DE"
by dn="cn=user1, ou=user, o=Demo, c=DE" write
by anonymous auth
by * none
access to dn=".*,c=DE"
by dn="cn=user1, ou=user, o=Demo, c=DE" write
by * read
When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE" I
still got all entries under that branch.
In the log I read:
access_allowed: search access to "ou=user,o=MailPass Demo, c=DE"
"objectClass" requested
dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0
dnpat: [2] .*,c=DE nsub: 0
acl_get: [2] matched
In my opinion ACL1 should match.
What have I misunderstood or done wrong?
do not use spaces after commas in DNs;
moreover, you may use a more efficient
exact match instead of unnecessary regex
match by doing
access to dn.subtree="o=...,c=DE"
and so.
Pierangelo.
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati