[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI - cannot see any mistakes



Armin Wenz writes:

I have a DIT like
c=de
- o=Demo
- ou=user
- ou=company
I want to deny anonymous access to the ou=user branch.


My ACL is:
access to dn=".*, ou=user, o=Demo, c=DE"
by dn="cn=user1, ou=user, o=Demo, c=DE" write
by anonymous auth
by * none
access to dn=".*,c=DE"
by dn="cn=user1, ou=user, o=Demo, c=DE" write
by * read


When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE" I still got all entries under that branch.

In the log I read:
access_allowed: search access to "ou=user,o=MailPass Demo, c=DE"
"objectClass" requested
dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0
dnpat: [2] .*,c=DE nsub: 0
acl_get: [2] matched


In my opinion ACL1 should match.

What have I misunderstood or done wrong?

do not use spaces after commas in DNs;
moreover, you may use a more efficient
exact match instead of unnecessary regex
match by doing


access to dn.subtree="o=...,c=DE"

and so.

Pierangelo.


Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati