[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL group.regex in 2.1.22

To: openldap-software@OpenLDAP.org
Subject: Re: ACL group.regex in 2.1.22
From: Ace Suares <ace@suares.nl>
Date: Sun, 12 Oct 2003 17:57:42 -0400
Content-disposition: inline
In-reply-to: <m3r81i2loz.fsf@marin.l4b.de>
Organization: Ace Suares' Internet Consultancy
References: <200310121436.43079.ace@suares.nl> <200310121540.21786.ace@suares.nl> <m3r81i2loz.fsf@marin.l4b.de>
User-agent: KMail/1.5.1


> > the question is: why is the group access rule 'skipped'?
>
> Because of your global rule
> access to * by none
>
> <= check a_dn_pat: *
> <= acl_mask: [5] applying none(=n) (stop)
> <= acl_mask: [5] mask: none(=n)
> => access_allowed: search access denied by none(=n)
>

Can anyone confirm that ?

I was under the impression that in the log files, I would see something like

<= check a_dn_pat: qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qwido
<= check a_dn_pat: ^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido
<= check a_dn_pat: 
^qGroup=$1,qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido
<= check a_dn_pat: qRole=123,qApp=qwido
<= check a_dn_pat: *

All the other 'who' clauses are listed in the logfiles, just not the 
'group'-rule.

_Ace

Follow-Ups:
- Re: ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>

References:
- ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>
- Re: ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>
- Re: ACL group.regex in 2.1.22
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: libpam-ldap and disabling accounts
Next by Date: XML export standard
Index(es):
- Chronological
- Thread