[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
problem with acl and wildcard
- To: Liste OpenLDAP-Software <openldap-software@OpenLDAP.org>
- Subject: problem with acl and wildcard
- From: François Beretti <francois.beretti@enatel.com>
- Date: Mon, 22 Mar 2004 09:31:12 +0100
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.6b) Gecko/20031205 Thunderbird/0.4
Hello all
I have a problem writing acl
I want all the users to have write access to entries implementing any
objectclass prefixed by a given string
So I wrote these acls :
access to *
by self write
by anonymous auth
access to filter="(objectClass=prefix*)"
by users write
and I can't access the data, while doing a ldapsearch as an
authenticated user ("uid=me,ou=utilisateurs,dc=company,dc=local")
in the access-level logs I get the following, on an entry that
implements a prefixXXX objectClass :
----------------------------------------------------------
=> access_allowed: search access to
"uid=toto,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl uid=toto,ou=utilisateurs,dc=company,dc=local attr:
objectClass
=> acl_mask: access to entry
"uid=toto,ou=utilisateurs,dc=company,dc=local", attr "objectClass" requested
=> acl_mask: to all values by
"uid=me,ou=utilisateurs,dc=company,dc=local", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: search access denied by =n
----------------------------------------------------------
but according to the second acl, I should be granted a write access on
"uid=toto,ou=utilisateurs,dc=company,dc=local", so I should be able to
search the objectClass attribute...
what is the problem ?
my config:
fedora core 1
openldap-2.1.22
François