[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL access clause parsing

To: OpenLDAP-Software@OpenLDAP.org
Subject: ACL access clause parsing
From: Frank Swasey <Frank.Swasey@uvm.edu>
Date: Thu, 15 Apr 2004 10:49:39 -0400 (EDT)

It would appear that the ACL access clause parsing has changed between
OpenLDAP 2.0 and 2.1.

This ACL worked in 2.0:

access to attrs=carLicense
    by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
    by self write
    by * none

In 2.1 (at least 2.1.27 and 2.1.29), if the authenticated DN is a member
of the Readers group, and they are attempting to modify their
carLicense, they will fail with "Insufficient access (50)".

However, if I reorder the ACL to:

access to attrs=carLicense
   by self write
   by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
   by * none

Then the modification of my own entry works even if I'm a member of the
Readers group.

Was this change intentional and I missed it somewhere in the
documentation (which includes the slapd.access manpage for 2.1.29) or is
it an error and I should file an ITS?

Thanks,
-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
        === God bless all inhabitants of your planet ===

Follow-Ups:
- Re: ACL access clause parsing
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Slave server with invisible master server
Next by Date: Re: Proposal for openldap project financing.
Index(es):
- Chronological
- Thread