[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with acl and wildcard



Hello all

I have a problem writing acl

I want all the users to have write access to entries implementing any objectclass prefixed by a given string


So I wrote these acls :

access to *
   by self write
   by anonymous auth

access to filter="(objectClass=prefix*)"
   by users write


and I can't access the data, while doing a ldapsearch as an authenticated user ("uid=me,ou=utilisateurs,dc=company,dc=local")
in the access-level logs I get the following, on an entry that implements a prefixXXX objectClass :
----------------------------------------------------------
=> access_allowed: search access to "uid=toto,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl uid=toto,ou=utilisateurs,dc=company,dc=local attr: objectClass
=> acl_mask: access to entry "uid=toto,ou=utilisateurs,dc=company,dc=local", attr "objectClass" requested
=> acl_mask: to all values by "uid=me,ou=utilisateurs,dc=company,dc=local", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: search access denied by =n
----------------------------------------------------------


but according to the second acl, I should be granted a write access on "uid=toto,ou=utilisateurs,dc=company,dc=local", so I should be able to search the objectClass attribute...

what is the problem ?

my config:
fedora core 1
openldap-2.1.22

François