[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Upgrading ACLs



--On Friday, October 07, 2005 5:29 PM -0700 Jeffrey Froman <openldap.tcijf@olympus.net> wrote:


I am upgrading from openldap-2.1.22 to openldap-2.2.23, and I am having
some  difficulty getting the ACLs to a state that the new version is
happy with.  Can anyone describe (or point me to a document that
describes) the ACL syntax  differences between these versions? My
searches have so far have produced  only fragmentary results.

What I've learned so far: I found I needed to change "access to dn=" to
"access to dn.regex=" when the dn contained any regular expression
syntax.  After making this change, slapd starts without complaint, but it
appears that  my "by group=" access rules are not being used, if I am
interpreting the  slapd logging output correctly.

I also changed "attr=" to "attrs=" for each ACL.

Other possibly relevant information: Some of the group identifiers
contain  references to a match group in dn.regex, such as:

    access to dn.regex="dc=([^,]+),o=([^,]+)"
	by group="cn=admin,ou=sys,o=$2"


You probably want

by group.expand="......"

See the slapd.access man page.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin