[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI - cannot see any mistakes (typo)

To: openldap-software@OpenLDAP.org
Subject: Re: ACI - cannot see any mistakes (typo)
From: Armin Wenz <awenz@mtgnet.de>
Date: Mon, 17 Jun 2002 09:24:08 +0200
Organization: media transfer GmbH
References: <3D0D85B4.1040208@mtgnet.de>
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020529

Armin Wenz wrote:

I have a DIT like
c=de
- o=Demo
  - ou=user
  - ou=company
I want to deny anonymous access to the ou=user branch.

My ACL is:
access to dn=".*, ou=user, o=Demo, c=DE"
  by dn="cn=user1, ou=user, o=Demo, c=DE" write
  by anonymous auth
  by * none
access to dn=".*,c=DE"
  by dn="cn=user1, ou=user, o=Demo, c=DE" write
  by * read

When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE" I still got all entries under that branch.

In the log I read:
access_allowed: search access to "ou=user,o=MailPass Demo, c=DE"
                "objectClass" requested
dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0
dnpat: [2] .*,c=DE nsub: 0
acl_get: [2] matched

In my opinion ACL1 should match.

What have I misunderstood or done wrong?


Sorry to all who replied that fast:

This "MailPass Demo" is a typo. It means
access_allowed: search access to "ou=user,o=Demo, c=DE"
                "objectClass" requested

--

Armin Wenz

References:
- ACI - cannot see any mistakes
  - From: Armin Wenz <awenz@mtgnet.de>

Prev by Date: Re: ./configure Berkleydb error
Next by Date: Version 2.1.2, can't see anything in cn=monitor
Index(es):
- Chronological
- Thread