[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with acl and wildcard



Quanah Gibson-Mount a écrit :

--On Monday, March 22, 2004 9:31 AM +0100 François Beretti <francois.beretti@enatel.com> wrote:

Hello all

I have a problem writing acl

I want all the users to have write access to entries implementing any
objectclass prefixed by a given string

So I wrote these acls :

access to *
    by self write
    by anonymous auth

Add a "by * break" after this point. OpenLDAP evaluates as far as the first ACL to govern permission to what you are requesting (and "*" governs everything!), and stops, unless you have a break statement.

Thanks for your answer Quanah

But unfortunately that did not worked :

Here are my ACLs :
-----------------------------------------------------------------------------
access to *
   by self write
   by anonymous auth
   by * break

access to filter="(objectClass=company*)"
   by users write
-----------------------------------------------------------------------------

the entry "uid=somebody,ou=utilisateurs,dc=company,dc=local" implements an
objectClass named companyUser ( so that matches the filter "(objectClass=company*)" )


with the command :
ldapsearch -x -D "uid=me,ou=utilisateurs,dc=company,dc=local" -w passwd -b "uid=somebody,ou=utilisateurs,dc=company,dc=local"


slapd -d 384 gives me the following output :
-----------------------------------------------------------------------------
conn=0 fd=7 ACCEPT from IP=127.0.0.1:2559 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="uid=me,ou=utilisateurs,dc=company,dc=local" method=128
=> access_allowed: auth access to "uid=me,ou=utilisateurs,dc=company,dc=local" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=me,ou=utilisateurs,dc=company,dc=local attr: userPassword
=> acl_mask: access to entry "uid=me,ou=utilisateurs,dc=company,dc=local", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=x) (stop)
<= acl_mask: [2] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
conn=0 op=0 BIND dn="uid=me,ou=utilisateurs,dc=company,dc=local" mech=simple ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="uid=somebody,ou=utilisateurs,dc=company,dc=local" scope=2 filter="(objectClass=*)"
=> access_allowed: search access to "uid=somebody,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl uid=somebody,ou=utilisateurs,dc=company,dc=local attr: objectClass
=> acl_mask: access to entry "uid=somebody,ou=utilisateurs,dc=company,dc=local", attr "objectClass" requested
=> acl_mask: to all values by "uid=me,ou=utilisateurs,dc=company,dc=local", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_dn_pat: *
<= acl_mask: [3] applying +0 (break)
<= acl_mask: [3] mask: =n
=> access_allowed: search access to "uid=somebody,ou=utilisateurs,dc=company,dc=local" "objectClass" requested
<= acl_get: done.
=> access_allowed: no more rules
conn=0 op=2 UNBIND
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=7 closed
-----------------------------------------------------------------------------


*Very important* :
when I substitute companyUser to company* in the acl's filter, that works like a charm :-/


Are wildcards allowed in acls filters ?

François



--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html