[Date Prev][Date Next] [Chronological] [Thread] [Top]

help with set acl

To: OpenLDAP software list <OpenLDAP-software@OpenLDAP.org>
Subject: help with set acl
From: Patrick Radtke <phr2101@columbia.edu>
Date: Tue, 20 Jun 2006 16:34:21 -0400

I'm trying to use the set acl to grant read permission to any entry who has the value 'CUNIX_wheel' for the multi-valued attribute 'affiliation' (of type directoryString with caseIgnoreMatch)

I think I have the syntax right, but I'm having a lot of trouble getting it to work. I using 2.3.20

access to *
	by self read
	by anonymous auth
	by set="user/affiliation* & [CUNIX_wheel]" read


here's what happens when I bind as myself and list my afffiliations

/usr/local/CUITopenldap/bin/ldapsearch -h abalone.cc.columbia.edu -p 3451 -Y GSSAPI -LLL uni=phr2101 affiliation SASL/GSSAPI authentication started SASL username: phr2101@CC.COLUMBIA.EDU SASL SSF: 56 SASL installing layers dn: uni=phr2101,ou=People,o=Columbia University,c=US affiliation: ACISdialupNet affiliation: ACISlabUser .... [edit out long list of affiliations] affiliation: CUNIX_src affiliation: CUNIX_staff affiliation: CUNIX_sy affiliation: CUNIX_us affiliation: CUNIX_wheel ... [edit out some affiliations] affiliation: CUadministrator_IT affiliation: CUcourse_COMSE6181_001_2005_3 affiliation: CUcourse_COMSE6998_007_2005_1

however when I search for someone else /usr/local/CUITopenldap/bin/ldapsearch -h abalone.cc.columbia.edu - p 3451 -Y GSSAPI -LLL uni=zg1 SASL/GSSAPI authentication started SASL username: phr2101@CC.COLUMBIA.EDU SASL SSF: 56 SASL installing layers


I don't get any results.


The log file shows

=> access_allowed: auth access to "uni=phr2101,ou=People,o=Columbia University,c=US" "uni" requested => acl_get: [1] attr uni => acl_mask: access to entry "uni=phr2101,ou=People,o=Columbia University,c=US", attr "uni" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => access_allowed: auth access granted by auth(=xd) => access_allowed: search access to "uni=zg1,ou=People,o=Columbia University,c=US" "uni" requested => acl_get: [1] attr uni => acl_mask: access to entry "uni=zg1,ou=People,o=Columbia University,c=US", attr "uni" requested => acl_mask: to value by "uni=phr2101,ou=people,o=columbia university,c=us", (=0) <= check a_dn_pat: self <= check a_dn_pat: anonymous <= check a_set_pat: user/affiliation* & [CUNIX_wheel] => bdb_entry_get: found entry: "uni=phr2101,ou=people,o=columbia university,c=us" <= acl_mask: no more <who> clauses, returning =0 (stop) => access_allowed: search access denied by =0

I'm not sure how to interpret these logs, but from what I can tell it finds my entry where it checks the set pattern...

I'm new to sets and have spent some time reading the faq and previous questions, but I'm not sure what I missing.

anyone know what's going on? or have a better way of making my acl?

thanks,

Patrick

Prev by Date: RE: Database deadlock when adding new entry
Next by Date: LDAP+SASL
Index(es):
- Chronological
- Thread