[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
access 'sets'
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm trying to implement an ACL based on sets, but it doesn't work. I
defined the ACL as:
access to dn.children="ou=Jobs,ou=PyKota,o=test"
~~ by dn="cn=pykota,ou=Admin,o=test" write
~~ by set="user/uid & this/pykotaUserName" read
~~ by * search
If I search for an object (the object hast pykotaUserName=testuser) with
'ldapsearch -x -D uid=testuser,ou=People,o=test -W pykotaUserName=testuser'
, I get the following debug output on the server:
=> dn: [26] ou=jobs,ou=pykota,o=test
=> acl_get: [26] matched
=> acl_get: [26] attr entry
=> acl_mask: access to entry "cn=123,ou=Jobs,ou=PyKota,o=test", attr
"entry" requested
=> acl_mask: to all values by "uid=testuser,ou=people,o=test", (=n)
<= check a_dn_pat: cn=pykota,ou=admin,o=test
<= check a_dn_pat: *
<= acl_mask: [3] applying search(=scx) (stop)
<= acl_mask: [3] mask: search(=scx)
=> access_allowed: read access denied by search(=scx)
It seem like the server doesn't recognize the set-rule, because the server
only tries 'check a_dn_pat: cn=pykota,ou=admin,o=test' and 'check a_dn_pat: *'
I'm using openLDAP 2.2.13-2 running on a RHEL 4 server
Thanks in advance
~~ Boris Stobbe
- --
*----------------------------------------------------------------------*
| Boris Stobbe * Informatik Rechner Betrieb Universität Paderborn |
*----------------------------------------------------------------------*
| Sungurus * DB-Gurus/Benutzerverwaltung * http://irb.uni-paderborn.de |
*----------------------------------------------------------------------*
| Email: bstobbe@upb.de * sungurus@upb.de * dbgurus@upb.de |
*----------------------------------------------------------------------*
open
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC9V5aMgxfPeS5o6ERAkWiAKCPn6o1k7I9BC2RPIdPH7uxA17bSgCcDs9r
O93BueYIIuBT3YDD7Is+/F8=
=U5E4
-----END PGP SIGNATURE-----