[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with sets in 2.2.5 (not in 2.1.25)



On Tue, 2005-09-27 at 13:25 -0700, Quanah Gibson-Mount wrote:
> 
> --On Tuesday, September 27, 2005 3:38 PM +0200 Giuseppe Milano 
> <g.milano@reitek.com> wrote:
> 
> > Hi Kurt,
> >
> > I've experienced the same trouble with SETS switching from 2.1.25 to
> > 2.2.23.
> >
> > I use SETS to decide which entry a user can see an which he can modify.
> > This is decided by matching attribute values of user and entry for which
> > the user wants read/write privileges Here is an example of my ACLS that
> > use SETS clause on openldap 2.1.25:
> >
> > access to attr=canExecute
> >  by self read
> >  by users set=(this/executeAccessLevel&user/groupAffiliation) read
> >  by users set=(this/executeAccessLevel&user/userPermission) read
> >  by users set=(this/executeAccessLevel&[Everyone]) read
> >
> >
> > I've found very userful your article in Faq-O-Matic.
> > I can't find other information about the SETS clause not working in newer
> > versions of openldap.
> >
> > So what I'd like to ask is if you or someone else has found a solution to
> > use SETS in the newer versions of openldap.
> 
> Pierangelo is the one who generally works on sets.  Have you tried in 
> OpenLDAP 2.3.7?  The set statements in my ACL's currently work correctly.
> 
>     by set.exact="this/uid & user/uid" sasl_ssf=56 read
> 
> is what I have.  It makes me wonder if you need some spaces in your set 
> statement, and it also looks like you may need to read the updated 
> documentation on sets.

No; they look just fine, and work as expected in HEAD.  I note few
issues where fixed win 2.2.12 and 2.2.16 according to the changelog;
there might have been other changes, not directly related to sets, that
are not logged.  I'd carefully look at logs with -d 64 (config) and -d
128 (acl) to see what happens when the sets are parsed and then used.

p.



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497