reading ACL debug log.

["Jason C. Leach" <jleach@ocis.net>]

hi,

I'm looking for a hand deciphering some ACL debug output:

Aug  9 12:40:47 robson slapd[1878]: => access_allowed: search access to "uid=carlos$,ou=Machine,ou=Accounts,o=jsthrower.com,dc=foo,dc=com" "objectClass" requested

Why does it say access_allowed when it seems to be making a request?
Because the request is allowed?

Aug  9 12:40:47 robson slapd[1878]: => acl_get: [1] check attr objectClass
Aug  9 12:40:47 robson slapd[1878]: => acl_get: [2] check attr objectClass
Aug  9 12:40:47 robson slapd[1878]: <= acl_get: [2] acl uid=carlos$,ou=Machine,ou=Accounts,o=foo.com,dc=foo,dc=com attr: objectClass
Aug  9 12:40:47 robson slapd[1878]: => acl_mask: access to entry "uid=carlos$,ou=Machine,ou=Accounts,o=jsthrower.com,dc=jsthrower,dc=com", attr "objectClass" requested
Aug  9 12:40:47 robson slapd[1878]: => acl_mask: to value by "", (=n)

What does this (above) line mean? Specifically by "", (=n)? Does it first
mask ALL access?

Aug  9 12:40:47 robson slapd[1878]: <= check a_dn_pat: cn=MANAGER,dc=foo,dc=com
Aug  9 12:40:47 robson slapd[1878]: <= check a_dn_pat: *

In the above two lines, is this who is allowed access. It seems the ACLs first
take away all access, then give it to the two lines above.

Aug  9 12:40:47 robson slapd[1878]: <= acl_mask: [2] applying read(=rscx) (stop)
Aug  9 12:40:47 robson slapd[1878]: <= acl_mask: [2] mask: read(=rscx)

In the above two lines it seems to be granting read access to the initial request. What does (stop) mean?


Aug  9 12:40:47 robson slapd[1878]: => access_allowed: search access granted by 
read(=rscx)

Finally the request is granted.


-- 
......................
..... Jason C. Leach
.. 

Current PGP/GPG Key ID: 43AD2024