[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.1 and ACL
- To: "Tony Earnshaw" <tonni@billy.demon.nl>
- Subject: Re: OpenLDAP 2.1 and ACL
- From: "Emmanuel Blot" <emmanuel.blot@free.fr>
- Date: Sun, 2 Feb 2003 18:46:54 +0100
- Cc: "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>, <openldap-software@OpenLDAP.org>
- References: <016801c2ba8c$5f5cf2f0$0f06a8c0@oulx> <HBF.20030113kanr@bombur.uio.no><013f01c2bfe5$fa31f830$0f06a8c0@oulx> <HBF.20030121c88n@bombur.uio.no> <0ad801c2c588$d25cb3b0$0f06a8c0@oulx> <1043670061.5828.55.camel@localhost> <0d8701c2c65d$50973460$0f06a8c0@oulx> <1043743188.16001.49.camel@localhost>
This is really weird.
Whatever ACL I use, OpenLDAP always seems to request access to the 'entry' attribute.
There's probably something wrong elsewhere, maybe in my schema definition or in the entries
themselves.
Am I the only one that gets requests on this 'entry' pseudo-attribute ??
Question:
I'm using an objectclass that is defined like this:
objectclass ( 1.3.6.1.4.1.15527.1
NAME 'ancien'
SUP top
STRUCTURAL
MUST ( uid $ userPassword $ sn $ cn $ graduation $ group )
MAY ( /* a lot of other attributes */ )
When I create object of objectclass 'ancien', do I also need to define them of objectclass
'top' ?
I found that for groupOfNames objectclass, examples show that objects of this class are also
declared to have 'top' objectclass.
I though the schema (that declare that groupOfNames objectclass has a 'top' parent) was enough
to define the inheritance, I don't understand whereas the parent objectclass have to be declared
when a new object is added.
With my example, do I need to declare 'ancien' object like this:
dn: uid=....
objectclass: ancien
uid: ...
or like this:
dn: uid=....
objectclass: ancien
objectclass: top
uid: ...
???
Could this misdefinition impact the ACL rules ?
Thanks,
Emmanuel.
----- Original Message -----
From: "Tony Earnshaw" <tonni@billy.demon.nl>
To: "Emmanuel Blot" <emmanuel.blot@free.fr>
Cc: "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>; <openldap-software@OpenLDAP.org>
Sent: Tuesday, January 28, 2003 9:39 AM
Subject: Re: OpenLDAP 2.1 and ACL
> tir, 2003-01-28 kl. 00:39 skrev Emmanuel Blot:
>
> > slapd still seems to require access to the 'entry' attribute to perform the search.
> > I've added:
> > access to attr=entry
> > by users read
>
> Dunno, I'm afraid. I don't use this and don't know anyone else who does.
> 'man slapd.access' would seem to indicate that by doing this, you are
> also blocking access to the entry's children, since the default at this
> point is 'stop'. Though that's my interpretation and could be wrong.
>
> F.ex., I don't have any 'entry' pseudo attribute and "it works for me".
> At a certain point I =do= have a 'children' pseudo attribute, but that's
> comparatively deep down in a sub-tree, once everything else has been
> satisfied.
>
> By filtering things like 'sn' and 'cn', you're only making everything
> doubly difficult for yourself. Why don't you just start with a
> bare-bones ACL and add what you want, one thing at a time, till it
> breaks? That's the way I do it.
>
> BTW, your log level gives interesting results that I haven't seen
> before. What log level is it?
>
> Best,
>
> Tony
>
> --
>
> Tony Earnshaw
>
> When all's said and done ...
> there's nothing left to say or do.
>
> e-post: tonni@billy.demon.nl
> www: http://www.billy.demon.nl
>
>
>
>