[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl's with peername.path not honoured?



Hi,
I would like to have a subtree beeing searched by back-ldap backendand 
have following rule

.-.-.-.-.-.-..-.-.access rule.-.-.-.-.-.-.-.-..-.-.-.-.
access  to dn.regex="cn=([^,]+),ou=Partner,o=avci,c=de$$"
        by dn.exact="cn=$1,ou=Partner,o=avci,c=de" write
        by peername.path=/home/dieter/openldap/var/run/ldapi read
        by users read
        by * auth
.-.-.-.-.-.-.-.-.-.-.-.-.--.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

An excerpt from logfiles shows that read access is denied and only an 
auth level is granted

.-.-.-.-.excerpt from log.-.-.-.-.-.-.-.-.-....-.-.-.-.-.
slapd[3958]: conn=0 fd=19 ACCEPT from PATH= (PATH=/home/dieter/
openldap/var/run/ldapi) 
slapd[3960]: conn=0 op=0 BIND dn="" method=128 
slapd[3960]: conn=0 op=0 RESULT tag=97 err=0 text= 
slapd[3960]: conn=0 op=1 SRCH base="ou=partner,o=hdk,c=de" scope=1 
deref=3 filter="(sn=kluenter)" 
slapd[3960]: conn=0 op=1 SRCH attr=telephonenumber 
slapd[3950]: connection_get(15) 
slapd[3961]: send_ldap_result: err=0 matched="" text="" 
slapd[3950]: connection_get(15) 
slapd[3961]: SRCH "ou=partner,o=avci,c=de" 1 3
slapd[3961]:     500 3600 0 
slapd[3961]:     filter: (sn=kluenter) 
slapd[3961]:     attrs:
slapd[3961]:  telephonenumber
slapd[3961]: bdb_idl_fetch_key: [01872a84] 
slapd[3961]: bdb_idl_fetch_key: [b49d1940] 
slapd[3961]: bdb_idl_fetch_key: [b048bd26] 
slapd[3961]: => access_allowed: search access to "cn=Dieter 
Kluenter,ou=Partner,o=avci,c=de" "sn" requested
slapd[3961]: => dnpat: [3] cn=([^,]+),ou=Partner,o=avci,c=de$$ nsub: 1 
slapd[3961]: => acl_get: [3] matched 
slapd[3961]: => acl_get: [3] attr sn 
slapd[3961]: => acl_mask: access to entry "cn=Dieter 
Kluenter,ou=Partner,o=avci,c=de", attr "sn" requested 
slapd[3961]: => acl_mask: to value by "", (=n)  
slapd[3961]: <= check a_dn_pat: cn=$1,ou=partner,o=avci,c=de 
 slapd[3961]: <= check a_peername_path: /home/dieter/openldap/var/run/
ldapi
slapd[3961]:<=check a_dn_pat:users 
slapd[3961]: <= check a_dn_pat: * 
slapd[3961]: <= acl_mask: [4] applying auth(=x) (stop) 
slapd[3961]: <= acl_mask: [4] mask: auth(=x) 
slapd[3961]: => access_allowed: search access denied by auth(=x) 
.--.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

Is slapd not honouring the peername_path or am I missing something?

-Dieter

-- 
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de