[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL group.regex in 2.1.22

To: openldap-software@OpenLDAP.org
Subject: Re: ACL group.regex in 2.1.22
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Sun, 12 Oct 2003 23:25:00 +0200
In-reply-to: <200310121540.21786.ace@suares.nl> (Ace Suares's message of "Sun, 12 Oct 2003 15:40:21 -0400")
References: <200310121436.43079.ace@suares.nl> <m3vfqu2r8v.fsf@marin.l4b.de> <200310121540.21786.ace@suares.nl>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Hi,

Ace Suares <ace@suares.nl> writes:

> Dieter, thanx for your reaction, but:
>
>> by dn.regex="qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qwido" write
>> qManager=man001,qRole=manager,qDomain=suares.com,qRole=domain,qIsp=isp001,q
>>Role=isp,qApp=qwido
>>
>> Please compare your 'who' clause with the distinguished name you want
>> to get access with.
>
> the 'qManager=man001' is member of the 'qGroup=ftp'.
>
> the 'qManager=man001' is supposed NOT to match any of the dn.regex rules, so 
> that works fine. 
>
> the question is: why is the group access rule 'skipped'?

Because of your global rule
access to * by none

<= check a_dn_pat: *
<= acl_mask: [5] applying none(=n) (stop)
<= acl_mask: [5] mask: none(=n)
=> access_allowed: search access denied by none(=n)


-Dieter







-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

Follow-Ups:
- Re: ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>

References:
- ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>
- Re: ACL group.regex in 2.1.22
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>

Prev by Date: Re: OpenSSL + Kerberos + Cyrus-SASL + OpenLDAP
Next by Date: Re: ACLView: tool to visualize effect of ACL's
Index(es):
- Chronological
- Thread