[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: problem with acl and wildcard
Quanah Gibson-Mount a écrit :
--On Monday, March 22, 2004 9:31 AM +0100 François Beretti
<francois.beretti@enatel.com> wrote:
Hello all
I have a problem writing acl
I want all the users to have write access to entries implementing any
objectclass prefixed by a given string
So I wrote these acls :
access to *
by self write
by anonymous auth
Add a "by * break" after this point. OpenLDAP evaluates as far as the
first ACL to govern permission to what you are requesting (and "*"
governs everything!), and stops, unless you have a break statement.
Thanks for your answer Quanah
But unfortunately that did not worked :
Here are my ACLs :
-----------------------------------------------------------------------------
access to *
by self write
by anonymous auth
by * break
access to filter="(objectClass=company*)"
by users write
-----------------------------------------------------------------------------
the entry "uid=somebody,ou=utilisateurs,dc=company,dc=local" implements an
objectClass named companyUser ( so that matches the filter
"(objectClass=company*)" )
with the command :
ldapsearch -x -D "uid=me,ou=utilisateurs,dc=company,dc=local" -w passwd
-b "uid=somebody,ou=utilisateurs,dc=company,dc=local"
slapd -d 384 gives me the following output :
-----------------------------------------------------------------------------
conn=0 fd=7 ACCEPT from IP=127.0.0.1:2559 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="uid=me,ou=utilisateurs,dc=company,dc=local" method=128
=> access_allowed: auth access to
"uid=me,ou=utilisateurs,dc=company,dc=local" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=me,ou=utilisateurs,dc=company,dc=local attr:
userPassword
=> acl_mask: access to entry
"uid=me,ou=utilisateurs,dc=company,dc=local", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=x) (stop)
<= acl_mask: [2] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
conn=0 op=0 BIND dn="uid=me,ou=utilisateurs,dc=company,dc=local"
mech=simple ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="uid=somebody,ou=utilisateurs,dc=company,dc=local"
scope=2 filter="(objectClass=*)"
=> access_allowed: search access to
"uid=somebody,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl uid=somebody,ou=utilisateurs,dc=company,dc=local
attr: objectClass
=> acl_mask: access to entry
"uid=somebody,ou=utilisateurs,dc=company,dc=local", attr "objectClass"
requested
=> acl_mask: to all values by
"uid=me,ou=utilisateurs,dc=company,dc=local", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_dn_pat: *
<= acl_mask: [3] applying +0 (break)
<= acl_mask: [3] mask: =n
=> access_allowed: search access to
"uid=somebody,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
<= acl_get: done.
=> access_allowed: no more rules
conn=0 op=2 UNBIND
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=7 closed
-----------------------------------------------------------------------------
*Very important* :
when I substitute companyUser to company* in the acl's filter, that
works like a charm :-/
Are wildcards allowed in acls filters ?
François
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html