[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL debug woes.





--On Thursday, January 12, 2006 3:47 PM -0500 Leeman Strout <me@mooluv.com> wrote:

The last attempt with my ACLs:

access to *
         by dn="cn=admin,dc=nodomain" write
         by self write
         by * read

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
         attrs=entry,children,@inetorgperson
     by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" write

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
         attrs=entry
     by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" read

In addition to Aaron's response, the most important thing to always remember about ACL's in OpenLDAP is that they *stop* at the first applicable ACL unless you have a "by * break" statement. So all that will ever be evaluated from your above ACLs is the very first clause, because it catches everything. None of your ACLs past that point will ever be looked at.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html