[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL debug woes.

To: Leeman Strout <me@mooluv.com>, openldap-software@OpenLDAP.org
Subject: Re: ACL debug woes.
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 12 Jan 2006 16:11:41 -0800
Content-disposition: inline
In-reply-to: <43C6C070.3010704@mooluv.com>
References: <43C6C070.3010704@mooluv.com>

--On Thursday, January 12, 2006 3:47 PM -0500 Leeman Strout <me@mooluv.com> wrote:

The last attempt with my ACLs:

access to *
         by dn="cn=admin,dc=nodomain" write
         by self write
         by * read

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
         attrs=entry,children,@inetorgperson
     by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" write

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
         attrs=entry
     by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" read

In addition to Aaron's response, the most important thing to always remember about ACL's in OpenLDAP is that they *stop* at the first applicable ACL unless you have a "by * break" statement. So all that will ever be evaluated from your above ACLs is the very first clause, because it catches everything. None of your ACLs past that point will ever be looked at.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- ACL question...
  - From: Krishna Sivaramapuram <krishna@everyone.net>

References:
- ACL debug woes.
  - From: Leeman Strout <me@mooluv.com>

Prev by Date: Re: Berkeley DB versions
Next by Date: ACL question...
Index(es):
- Chronological
- Thread