[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Decyphering openldap ACL logs
At 08:27 PM 4/29/2004, rajkumars@asianetindia.com wrote:
>> >=> access_allowed: write access to "dc=cse,dc
>> >=com" "entry" requested
>
>What is the meaning of "=>" and "<=" ?
Generally, these refers to logging on input and output respectively.
>How did you find that? both log([1] and [2]) entries are similar!
By looking at surrounding log entries.
>> ><= acl_get: [2] acl dc=cse,dc=com attr: entry
>> >=> acl_mask: access to entry "dc=cse,dc=com", attr "entry"
>> requested
>> >=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)
>> ><= check a_dn_pat: cn=admin,dc=com
>> ><= check a_dn_pat: *
>
>What is the meaning of acl_get, acl_mask, a_dn_pat?
acl_get and acl_mask, as used above, are function names.
a_dn_pat is a field name, the field that holds the DN pattern.
>> This is from the first clause of the second access statement.
>> It doesn't match.
>>
>> ><= acl_mask: [3] applying read(=rscx) (stop)
>> ><= acl_mask: [3] mask: read(=rscx)
>>
>> Here it's saying that the third clause of (second) access access
>> statement applied.
>
>What is the meaning of "applying read(=rscx) (stop)" and "mask: read(=rscx)" ?
Means that the clause is being applied and the resultant
access level is read.
>> >=> access_allowed: write access denied by read(=rscx)
>>
>> This says that write access to entry was denied as subject
>> (uid=mailadmin,dc=com) was only authorized to read.
>
>Ok. My ldif file is given below, I am wondering why the aci entries were not applied.
I'll leave commenting on ACIs to others more familiar with them.
I've yet to find a reason to use them myself.