[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [SOLVED] OpenLDAP 2.1.19 and ACLs
I had to put a "^" in front of the DNs to match the beginning of the
regex.. This is different from the 2.0.x behavior..
On Fri, 2003-06-06 at 12:50, Edward Rudd wrote:
> I have this nice set of ACLs that I created for my openldap 2.0.27
> server.. now I'm trying to upgrade things to openldap 2.1.19 but the
> acls refuse to work correctly..
>
> I've now proceeded to strip them down and rebuild them from scratch on
> the 2.1.19 server.. here it is..
>
> access to dn="" by * read
> access to dn="cn=Subschema" by * read
>
> access to dn="uid=.*,ou=People,o=MyOrg,c=US"
> attr=userPassword,objectClass
> by self write
> by anonymous auth
>
> access to dn="uid=.*,ou=People,o=MyOrg,c=US"
> attrs=hordePrefs,impPrefs,turbaPrefs
> by self write
>
> access to dn="uid=.*,ou=People,o=MyOrg,c=US" attrs=entry
> by self read
>
> access to dn="ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
> attr=children,objectClass
> by dn="uid=$1,ou=People,o=MyOrg,c=US" write
>
> access to dn="cn=.*,ou=Address Book,uid=(.*),ou=People,o=MyOrg,c=US"
> by dn="uid=$1,ou=People,o=MyOrg,c=US" write
>
> access to *
> by * none
>
>
> I turned on loglevel 128 and am watching the acl trace..
> This is what is happening... I run
> $ ldapsearch -U user@dom.tld -s base -w test -b
> "uid=user@dom.tld,ou=people,o=MyOrg,c=us"
> and it works as expected and returns the userpassword attr, and th horde
> prefs attrs.
>
> when I do this however
> $ ldapsearch -U user@dom.tld -s sub -w test -b
> "uid=user@dom.tld,ou=people,o=MyOrg,c=us"
> it returns exactly the same thing and does not return any of the
> entries in the ou=Address Boook.
> in the log it tells me that when it tries to look up objectClass in
> "ou=Address Book,uid=user@dom.tld,ou=people,ou=MyOrg,c=US" it matches
> dnpat[3] NOT dnpat[4] like it should.. So every ACL request is matching
> the "uid=.*,ou=People,o=MyOrg,c=US" rule
>
> Also I can not get group acls to work either in 2.1.19 ie..
> (by group="cn=admin,ou=Group,o=MyOrg,c=US" write)
> AS those where in there but when slapd traced through those it say that
> the user was not in the member attribute of the group (it found the
> group) even though it IS!!
>
> This did not happen with 2.0.27... Any ideas??
> I'm running RH 7.3 w/ the open-it.org RPMS (rebuilt on my system of
> course)
--
Edward Rudd <eddie@omegaware.com>