[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP 2.1.19 and ACLs
I have this nice set of ACLs that I created for my openldap 2.0.27
server.. now I'm trying to upgrade things to openldap 2.1.19 but the
acls refuse to work correctly..
I've now proceeded to strip them down and rebuild them from scratch on
the 2.1.19 server.. here it is..
access to dn="" by * read
access to dn="cn=Subschema" by * read
access to dn="uid=.*,ou=People,o=MyOrg,c=US"
attr=userPassword,objectClass
by self write
by anonymous auth
access to dn="uid=.*,ou=People,o=MyOrg,c=US"
attrs=hordePrefs,impPrefs,turbaPrefs
by self write
access to dn="uid=.*,ou=People,o=MyOrg,c=US" attrs=entry
by self read
access to dn="ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
attr=children,objectClass
by dn="uid=$1,ou=People,o=MyOrg,c=US" write
access to dn="cn=.*,ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
by dn="uid=$1,ou=People,o=MyOrg,c=US" write
access to *
by * none
I turned on loglevel 128 and am watching the acl trace..
This is what is happening... I run
$ ldapsearch -U user@dom.tld -s base -w test -b
"uid=user@dom.tld,ou=people,o=MyOrg,c=us"
and it works as expected and returns the userpassword attr, and th horde
prefs attrs.
when I do this however
$ ldapsearch -U user@dom.tld -s sub -w test -b
"uid=user@dom.tld,ou=people,o=MyOrg,c=us"
it returns exactly the same thing and does not return any of the
entries in the ou=Address Boook.
in the log it tells me that when it tries to look up objectClass in
"ou=Address Book,uid=user@dom.tld,ou=people,ou=MyOrg,c=US" it matches
dnpat[3] NOT dnpat[4] like it should.. So every ACL request is matching
the "uid=.*,ou=People,o=MyOrg,c=US" rule
Also I can not get group acls to work either in 2.1.19 ie..
(by group="cn=admin,ou=Group,o=MyOrg,c=US" write)
AS those where in there but when slapd traced through those it say that
the user was not in the member attribute of the group (it found the
group) even though it IS!!
This did not happen with 2.0.27... Any ideas??
I'm running RH 7.3 w/ the open-it.org RPMS (rebuilt on my system of
course)
--
Edward Rudd <eddie@omegaware.com>