[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL rule problem

To: openLDAP-software list <openldap-software@OpenLDAP.org>
Subject: ACL rule problem
From: Jens Vagelpohl <jens@dataflake.org>
Date: Sat, 12 Feb 2005 20:45:14 +0100

Hi *,

Banging my head on a ACL rule problem, using OL 2.1.22. I have consulted the Admin guide, the slapd.access man page and the FAQ (especially http://www.openldap.org/faq/data/cache/973.html). From looking at these sources and applying what they tell me my rule *should* work.

The ACL:

-------------------------- access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$" by group/groupOfUniqueNames/ uniqueMember.regex="^ou=$2,ou=mail,dc=mycompany,dc=com$$" write by * none --------------------------


The outcome:

---------------- => access_allowed: search access to "ou=mycompany.com,ou=mail,dc=mycompany,dc=com" "objectClass" requested => acl_get: [1] check attr objectClass => dnpat: [2] ^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$ nsub: 2 => acl_get: [2] matched => acl_get: [2] check attr objectClass <= acl_get: [2] acl ou=mycompany.com,ou=mail,dc=mycompany,dc=com attr: objectClass => acl_mask: access to entry "ou=mycompany.com,ou=mail,dc=mycompany,dc=com", attr "objectClass" requested => acl_mask: to value by "cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com", (=n) -----------------

I'm convinced this must be a replacement problem, but the debugging does not tell me what $2 evaluates to during processing. Can anyone see a flaw in the rule or knows how to debug access rules with even more detail?

Thanks!

jens

---------------
Jens Vagelpohl			jens@zetwork.com
Zetwork GmbH				http://www.zetwork.com/

Follow-Ups:
- Re: ACL rule problem
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACL rule problem
  - From: Jens Vagelpohl <jens@dataflake.org>

Prev by Date: Re: good time to learn how to fix problems
Next by Date: Re: good time to learn how to fix problems
Index(es):
- Chronological
- Thread