[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
help with set acl
I'm trying to use the set acl to grant read permission to any entry
who has the value 'CUNIX_wheel' for the multi-valued attribute
'affiliation' (of type directoryString with caseIgnoreMatch)
I think I have the syntax right, but I'm having a lot of trouble
getting it to work. I using 2.3.20
access to *
by self read
by anonymous auth
by set="user/affiliation* & [CUNIX_wheel]" read
here's what happens when I bind as myself and list my afffiliations
/usr/local/CUITopenldap/bin/ldapsearch -h abalone.cc.columbia.edu -p
3451 -Y GSSAPI -LLL uni=phr2101 affiliation
SASL/GSSAPI authentication started
SASL username: phr2101@CC.COLUMBIA.EDU
SASL SSF: 56
SASL installing layers
dn: uni=phr2101,ou=People,o=Columbia University,c=US
affiliation: ACISdialupNet
affiliation: ACISlabUser
.... [edit out long list of affiliations]
affiliation: CUNIX_src
affiliation: CUNIX_staff
affiliation: CUNIX_sy
affiliation: CUNIX_us
affiliation: CUNIX_wheel
... [edit out some affiliations]
affiliation: CUadministrator_IT
affiliation: CUcourse_COMSE6181_001_2005_3
affiliation: CUcourse_COMSE6998_007_2005_1
however when I search for someone else
/usr/local/CUITopenldap/bin/ldapsearch -h abalone.cc.columbia.edu -
p 3451 -Y GSSAPI -LLL uni=zg1
SASL/GSSAPI authentication started
SASL username: phr2101@CC.COLUMBIA.EDU
SASL SSF: 56
SASL installing layers
I don't get any results.
The log file shows
=> access_allowed: auth access to "uni=phr2101,ou=People,o=Columbia
University,c=US" "uni" requested
=> acl_get: [1] attr uni
=> acl_mask: access to entry "uni=phr2101,ou=People,o=Columbia
University,c=US", attr "uni" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: search access to "uni=zg1,ou=People,o=Columbia
University,c=US" "uni" requested
=> acl_get: [1] attr uni
=> acl_mask: access to entry "uni=zg1,ou=People,o=Columbia
University,c=US", attr "uni" requested
=> acl_mask: to value by "uni=phr2101,ou=people,o=columbia
university,c=us", (=0)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_set_pat: user/affiliation* & [CUNIX_wheel]
=> bdb_entry_get: found entry: "uni=phr2101,ou=people,o=columbia
university,c=us"
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> access_allowed: search access denied by =0
I'm not sure how to interpret these logs, but from what I can tell it
finds my entry where it checks the set pattern...
I'm new to sets and have spent some time reading the faq and previous
questions, but I'm not sure what I missing.
anyone know what's going on? or have a better way of making my acl?
thanks,
Patrick