[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL (dnattr) usage
- To: openldap-software@OpenLDAP.org
- Subject: ACL (dnattr) usage
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 29 Jan 2003 12:22:44 +0100
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
I'm trying to rewrite some ACL's to be more generic, so I've created
an attribute called 'administrator' (I _could_ have used 'owner', but
I've forgot about that).
My Base DN is 'dc=com'. Under that I have 'dc=bayour' (=> dc=bayour,dc=com).
In the 'dc=bayour' object I have
dn: dc=bayour,dc=com
administrator: uid=frans,ou=People,dc=bayour,dc=com
Trying to add a user object (with the DN uid=test,ou=People,dc=bayour,dc=com)
doing a simple bind as 'uid=frans,ou=People,dc=bayour,dc=com' fails (see below)!
The ACL looks like:
access to dn="ou=People,dc=bayour,dc=com"
by dnattr=administrator write
by * read
The attribute looks like:
attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator'
DESC 'Administrator for branch'
SUP owner)
Running slapd in debug mode shows this:
------ s n i p -----
=> access_allowed: write access to "ou=People,dc=bayour,dc=com" "children" requested
=> dnpat: [1] ou=People,dc=bayour,dc=com nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr children
<= acl_get: [1] acl ou=People,dc=bayour,dc=com attr: children
=> acl_mask: access to entry "ou=People,dc=bayour,dc=com", attr "children" requested
=> acl_mask: to all values by "UID=FRANS,OU=PEOPLE,DC=BAYOUR,DC=COM", (=n)
<= check a_dn_at: administrator
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: write access denied by read (=rscx)
====> cache_return_entry_w( 248 ): returned (0)
no write access to parent
------ s n i p -----
What does '"children" requested' actually mean?