[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL

To: <philippe.broussard@e-qual.fr>
Subject: Re: ACL
From: Joshua Bernstein <bjosh@engr.arizona.edu>
Date: Fri, 13 Jun 2003 01:49:22 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAoTMCUkUVIU+EN1lpRTz5FcKAAAAQAAAAtEgpYjBuVEGRRbkkNLPsQgEAAAAA@e-qual.fr>

Well Line 1 is just stating that you want the "userPassword" Attribute and you are connection as user "AdminContacts" Line 2 is telling you that that the system is checking the ACL for the "userPassword" Attributes..

Basiclly all that is happening here is that the system is stepping through the code to check against the nesacary ACLs using the Authentication provided. The last line basiclly confirms that authorization was granted. So that that user should be able to view the "userPassword" attributes...

Does that help?

-Josh

On Friday, June 13, 2003, at 01:14 AM, <philippe.broussard@e-qual.fr> wrote:

Hi,

I have a question about the ACL, here's the log of a connexion by user
AdminContacts (he is not the superuser) to the database


daemon: socket() failed errno=97 (Address family not supported by
protocol)
bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19,
2002)
Global ACL: access to attrs=userPassword
        by dn.base=cn=admincontacts,ou=contacts,dc=e-qual,dc=fr
write(=wrscx)
        by anonymous auth(=x)
        by self write(=wrscx)
        by * none(=n)

Global ACL: access to dn.subtree=ou=contacts,dc=e-qual,dc=fr
        by dn.base=cn=admincontacts,ou=contacts,dc=e-qual,dc=fr
write(=wrscx)
        by * none(=n)

Global ACL: access to *
        by self write(=wrscx)
        by users read(=rscx)
        by anonymous read(=rscx)

bdb_db_init: Initializing BDB database
slapd starting


1   => access_allowed: auth access to
"cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr" "userPassword" requested
2   => acl_get: [1] check attr userPassword
3   <= acl_get: [1] acl cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
attr: userPassword
4   => acl_mask: access to entry
"cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr", attr "userPassword"
requested
5   => acl_mask: to all values by "", (=n)
6   <= check a_dn_pat: cn=admincontacts,ou=contacts,dc=e-qual,dc=fr
7   <= check a_dn_pat: anonymous
8   <= acl_mask: [2] applying auth(=x) (stop)
9   <= acl_mask: [2] mask: auth(=x)
10  => access_allowed: auth access granted by auth(=x)


My question is simple :
	can someone could me explain the meaning of the lines 1 to 10
(and if possible the [1] and [2])?

I think understand but I would want a confirmation

Thanks for the answer


Philippe

-Joshua Bernstein
Systems Analyst
University of Arizona
Tucson, Arizona, USA

References:
- ACL
  - From: <philippe.broussard@e-qual.fr>

Prev by Date: ACL
Next by Date: Re: Active directory and openldap
Index(es):
- Chronological
- Thread