[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL question: is the topmost entry different ?
Hi all,
Still more wrestling. I wouldn't be surprised if they take me to the asylum
after even more wrestling :-(
>
> Here's my ACL:
Here's my new ACL:
---ACL
# protect all userPasswords.
# qwido: managers have access to all passwords
access to attr=userpassword
by self write
by group="group=managers,app=qwido" write
by anonymous auth
###
access to dn="oc=(.*),app=qwido"
by dn.exact="oc=$1,app=qwido" read
by dn.exact="app=qwido" read
###
access to dn="app=qwido" attrs=children
by dn.exact="app=qwido" write
###
access to dn="app=qwido"
by dn.exact="app=qwido" read
---
When I bind with:
Base_dn: app=qwido
Bind_dn: app=qwido
I can see the *whole* tree.
I can ADD oc=isp002,app=qwido
but I can't edit any oc=.*,app=qwido (expected behaviour)
When I bind with:
Base_dn: app=qwido
Bind_dn: oc=isp001,app=qwido
I can see the 'nothing'.
This strikes me as strange.
When I remove the 'exact' I am able to see the entire tree, but:
When I bind with:
Base_dn: app=qwido
Bind_dn: manager=001,oc=isp001,,app=qwido
I can see the 'nothing' (expected behaviour)
but when I remove the exact, I can also see the entire tree !
Again, mystery strikes.
defaultaccess is none (of course).
I am using core.schema, cosine.scheam, nis.schema, qmail.schema and a schema
of my own:
---qwido.schema:
# qwido.schema.01
# qwido 2.0 copyright Ace Suares http://www.qwido.com
# OID Base is iso(1) org(3) dod(6) internet(1) private(4) something(1).
# acesuares(14391) qwido(1)
# Syntaxes are under 1.3.6.1.4.1.14391.1.0
# Attribute types are under 1.3.6.1.4.1.14391.1.1
# Object classes are under 1.3.6.1.4.1.14391.1.2
# Services are under 1.3.6.1.4.1.14391.1.3
# Objectidentifiers
objectIdentifier acesuaresOID 1.3.6.1.4.1.14391
objectIdentifier qwido acesuaresOID:1
objectIdentifier qwidoSyntax qwido:0
objectIdentifier qwidoAttributeType qwido:1
objectIdentifier qwidoObjectClass qwido:2
# qwido Attributes
attributetype ( qwidoAttributeType:0 NAME 'qwidoVersion'
DESC 'qwido Version Number'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( qwidoAttributeType:5 NAME 'qwidoStatus'
DESC 'qwido Status'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
# qwido objectclasses
objectclass ( qwidoObjectClass:0 NAME 'qwidoTop' STRUCTURAL
MUST ( qwidoVersion )
)
objectclass ( qwidoObjectClass:1 NAME 'qwidoService' STRUCTURAL
MUST ( qwidoStatus )
)
objectclass ( qwidoObjectClass:2 NAME 'qwidoOC' STRUCTURAL
MUST ( qwidoStatus )
)
objectclass ( qwidoObjectClass:3 NAME 'qwidoDomain' STRUCTURAL
MUST ( qwidoStatus )
MAY ( homeDirectory )
)
objectclass ( qwidoObjectClass:4 NAME 'qwidoManager' STRUCTURAL
MUST ( userPassword $ qwidoStatus )
MAY ( description $ cn )
)
# end qwido.schema.01
----