[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Decyphering openldap ACL logs



At 08:27 PM 4/29/2004, rajkumars@asianetindia.com wrote:
>> >=> access_allowed: write access to "dc=cse,dc
>> >=com" "entry" requested 
>
>What is the meaning of "=>" and "<=" ? 

Generally, these refers to logging on input and output respectively.

>How did you find that? both log([1] and [2]) entries are similar!

By looking at surrounding log entries.

>> ><= acl_get: [2] acl dc=cse,dc=com attr: entry
>> >=> acl_mask: access to entry "dc=cse,dc=com", attr "entry" 
>> requested 
>> >=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)  
>> ><= check a_dn_pat: cn=admin,dc=com 
>> ><= check a_dn_pat: * 
>
>What is the meaning of acl_get, acl_mask, a_dn_pat?

acl_get and acl_mask, as used above, are function names.
a_dn_pat is a field name, the field that holds the DN pattern.

>> This is from the first clause of the second access statement.
>> It doesn't match.
>> 
>> ><= acl_mask: [3] applying read(=rscx) (stop) 
>> ><= acl_mask: [3] mask: read(=rscx) 
>> 
>> Here it's saying that the third clause of (second) access access
>> statement applied.
>
>What is the meaning of "applying read(=rscx) (stop)" and "mask: read(=rscx)" ?

Means that the clause is being applied and the resultant
access level is read.

>> >=> access_allowed: write access denied by read(=rscx) 
>> 
>> This says that write access to entry was denied as subject
>> (uid=mailadmin,dc=com) was only authorized to read.
>
>Ok. My ldif file is given below, I am wondering why the aci entries were not applied.

I'll leave commenting on ACIs to others more familiar with them.
I've yet to find a reason to use them myself.