[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI - cannot see any mistakes

To: awenz@mtgnet.de
Subject: Re: ACI - cannot see any mistakes
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
Date: Mon, 17 Jun 2002 09:02:18 +0000
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3D0D85B4.1040208@mtgnet.de>
References: <3D0D85B4.1040208@mtgnet.de>

Armin Wenz writes:

I have a DIT like c=de - o=Demo - ou=user - ou=company I want to deny anonymous access to the ou=user branch.

My ACL is: access to dn=".*, ou=user, o=Demo, c=DE" by dn="cn=user1, ou=user, o=Demo, c=DE" write by anonymous auth by * none access to dn=".*,c=DE" by dn="cn=user1, ou=user, o=Demo, c=DE" write by * read

When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE" I still got all entries under that branch.

In the log I read: access_allowed: search access to "ou=user,o=MailPass Demo, c=DE" "objectClass" requested dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0 dnpat: [2] .*,c=DE nsub: 0 acl_get: [2] matched

In my opinion ACL1 should match.

What have I misunderstood or done wrong?

do not use spaces after commas in DNs; moreover, you may use a more efficient exact match instead of unnecessary regex match by doing

access to dn.subtree="o=...,c=DE"

and so.

Pierangelo.

Dr. Pierangelo Masarati | voice: +39 02 2399 8309 Dip. Ing. Aerospaziale | fax: +39 02 2399 8334 Politecnico di Milano | mailto:pierangelo.masarati@polimi.it via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati

References:
- ACI - cannot see any mistakes
  - From: Armin Wenz <awenz@mtgnet.de>

Prev by Date: RE: ACI - cannot see any mistakes
Next by Date: Re: ./configure Berkleydb error
Index(es):
- Chronological
- Thread