-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm trying to implement an ACL based on sets, but it doesn't work. I
defined the ACL as:
access to dn.children="ou=Jobs,ou=PyKota,o=test"
~~ by dn="cn=pykota,ou=Admin,o=test" write
~~ by set="user/uid & this/pykotaUserName" read
~~ by * search
If I search for an object (the object hast pykotaUserName=testuser) with
'ldapsearch -x -D uid=testuser,ou=People,o=test -W
pykotaUserName=testuser'
, I get the following debug output on the server:
=> dn: [26] ou=jobs,ou=pykota,o=test
=> acl_get: [26] matched
=> acl_get: [26] attr entry
=> acl_mask: access to entry "cn=123,ou=Jobs,ou=PyKota,o=test", attr
"entry" requested
=> acl_mask: to all values by "uid=testuser,ou=people,o=test", (=n)
<= check a_dn_pat: cn=pykota,ou=admin,o=test
<= check a_dn_pat: *
<= acl_mask: [3] applying search(=scx) (stop)
<= acl_mask: [3] mask: search(=scx)
=> access_allowed: read access denied by search(=scx)
It seem like the server doesn't recognize the set-rule, because the
server
only tries 'check a_dn_pat: cn=pykota,ou=admin,o=test' and 'check
a_dn_pat: *'