[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL group.regex in 2.1.22
- To: openldap-software@OpenLDAP.org
- Subject: ACL group.regex in 2.1.22
- From: Ace Suares <ace@suares.nl>
- Date: Sun, 12 Oct 2003 14:36:43 -0400
- Content-disposition: inline
- Organization: Ace Suares' Internet Consultancy
- User-agent: KMail/1.5.1
Dear all,
Again, those ACL bit me in places I don't want to be bitten :-(
I have the following ACL:
access to
dn.regex="^qService=(.*),qDomain=(.*),qRole=domain,qIsp=(.*),qRole=isp,qApp=qwido"
by dn.regex="qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qwido" write
by dn.regex="^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido" read
by group="^qGroup=$1,qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido"
read
by dn.regex="qRole=123,qApp=qwido" read
by * none
I know, it's complicated to read, but just note that the 3rd 'by' clause is
'group'.
Now, in my log files, I see:
<= acl_get: [8] acl qService=ftp,qDomain=suares.com,qRole=domain,qIsp=
isp001,qRole=isp,qApp=qwido attr: objectClass
=> acl_mask: access to entry "qService=ftp,qDomain=suares.com,qRole=do
main,qIsp=isp001,qRole=isp,qApp=qwido", attr "objectClass" requested
=> acl_mask: to all values by "qManager=man001,qRole=manager,qDomain=s
uares.com,qRole=domain,qIsp=isp001,qRole=isp,qApp=qwido", (=n)
<= check a_dn_pat: qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qw
ido
<= check a_dn_pat: ^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwi
do
<= check a_dn_pat: qRole=123,qApp=qwido
<= check a_dn_pat: *
<= acl_mask: [5] applying none(=n) (stop)
<= acl_mask: [5] mask: none(=n)
=> access_allowed: search access denied by none(=n)
Again, difficult top read, but note that the 'by group' doesn't show up whule
all the others (by dn.regex, and *) do.
What's the reason for this? Do I need top upgrade ? Dit I oversee someting
very simple !?
Any help would be appreciated.
PS 'by group' defaults to 'by group.regex', doesn't it ?
I read http://www.openldap.org/faq/index.cgi?file=52 and it seems that what I
am doing is the same as describe in the faq.
_Ace
--
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl