[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question: is the topmost entry different ?




Hi all,

Im still wrestling with this problem. 
Here I am sending a more complete example. It's quite obvious that I am 
missing somethings here, would be delighted if anyone can help me understand 
this.

Here's my ACL:

---ACL
# protect all userPasswords.
# managers have access to all passwords
access to attr=userpassword
	by self write
	by group="group=managers,app=qwido" write
	by anonymous auth

### 
access to dn="app=qwido" 
	by dn="app=qwido" read
---

When I bind with:
Base_dn: app=qwido
Bind_dn: app=qwido
I can see the *whole* tree.

When I bind with:
Base_dn: app=qwido
Bind_dn: oc=isp001,app=qwido
I can see the *whole* tree.

When I bind with:
Base_dn: app=qwido
Bind_dn: manager=001,oc=isp001,,app=qwido
I can see the *whole* tree.

When I use the following ACL:

---ACL
# protect all userPasswords.
# managers have access to all passwords
access to attr=userpassword
	by self write
	by group="group=managers,app=qwido" write
	by anonymous auth

### 
access to dn.exact="app=qwido" 
	by dn="app=qwido" read
---

(note: the only change is the 'exact' style in the last access directive)

then:

When I bind with:
Base_dn: app=qwido
Bind_dn: app=qwido
I can see the *whole* tree. (expected behaviour)

When I bind with:
Base_dn: app=qwido
Bind_dn: oc=isp001,app=qwido
I can see 'nothing'

When I bind with:
Base_dn: app=qwido
Bind_dn: manager=001,oc=isp001,,app=qwido
I can see 'nothing'


Can anyone explain me why I need to use 'exact' to get the expected behaviour?

TIA
Ace