[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL



This is really weird.

Whatever ACL I use, OpenLDAP always seems to request access to the 'entry' attribute.
There's probably something wrong elsewhere, maybe in my schema definition or in the entries
themselves.

Am I the only one that gets requests on this 'entry' pseudo-attribute ??

Question:
I'm using an objectclass that is defined like this:

objectclass ( 1.3.6.1.4.1.15527.1
              NAME 'ancien'
              SUP top
              STRUCTURAL
              MUST ( uid $ userPassword $ sn $ cn $ graduation $ group )
              MAY  ( /* a lot of other attributes */ )

When I create object of objectclass 'ancien', do I also need to define them of objectclass
'top' ?

I found that for groupOfNames objectclass, examples show that objects of this class are also
declared to have 'top' objectclass.
I though the schema (that declare that groupOfNames objectclass has a 'top' parent) was enough
to define the inheritance, I don't understand whereas the parent objectclass have to be declared
when a new object is added.

With my example, do I need to declare 'ancien' object like this:

dn: uid=....
objectclass: ancien
uid: ...

or like this:

dn: uid=....
objectclass: ancien
objectclass: top
uid: ...

???
Could this misdefinition impact the ACL rules ?

Thanks,
Emmanuel.


----- Original Message -----
From: "Tony Earnshaw" <tonni@billy.demon.nl>
To: "Emmanuel Blot" <emmanuel.blot@free.fr>
Cc: "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>; <openldap-software@OpenLDAP.org>
Sent: Tuesday, January 28, 2003 9:39 AM
Subject: Re: OpenLDAP 2.1 and ACL


> tir, 2003-01-28 kl. 00:39 skrev Emmanuel Blot:
>
> > slapd still seems to require access to the 'entry' attribute to perform the search.
> > I've added:
> > access to attr=entry
> >        by users read
>
> Dunno, I'm afraid. I don't use this and don't know anyone else who does.
> 'man slapd.access' would seem to indicate that by doing this, you are
> also blocking access to the entry's children, since the default at this
> point is 'stop'. Though that's my interpretation and could be wrong.
>
> F.ex., I don't have any 'entry' pseudo attribute  and "it works for me".
> At a certain point I =do= have a 'children' pseudo attribute, but that's
> comparatively deep down in a sub-tree, once everything else has been
> satisfied.
>
> By filtering things like 'sn' and 'cn', you're only making everything
> doubly difficult for yourself. Why don't you just start with a
> bare-bones ACL and add what you want, one thing at a time, till it
> breaks? That's the way I do it.
>
> BTW, your log level gives interesting results that I haven't seen
> before. What log level is it?
>
> Best,
>
> Tony
>
> --
>
> Tony Earnshaw
>
> When all's said and done ...
> there's nothing left to say or do.
>
> e-post: tonni@billy.demon.nl
> www: http://www.billy.demon.nl
>
>
>
>