[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL access clause parsing
It would appear that the ACL access clause parsing has changed between
OpenLDAP 2.0 and 2.1.
This ACL worked in 2.0:
access to attrs=carLicense
by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
by self write
by * none
In 2.1 (at least 2.1.27 and 2.1.29), if the authenticated DN is a member
of the Readers group, and they are attempting to modify their
carLicense, they will fail with "Insufficient access (50)".
However, if I reorder the ACL to:
access to attrs=carLicense
by self write
by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
by * none
Then the modification of my own entry works even if I'm a member of the
Readers group.
Was this change intentional and I missed it somewhere in the
documentation (which includes the slapd.access manpage for 2.1.29) or is
it an error and I should file an ITS?
Thanks,
--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God bless all inhabitants of your planet ===