[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
problem with set ACL
Hello
I have a problem with the set keyword in ACL.
Here is the setup. My directory has objects in two classes:
persons and addresses
A person look like this:
dn: cn=jdoe,ou=sales,dc=example,dc=net
cn: jdoe
rfc822Mailbox: John.Doe@example.net
An address look like this:
dn: netExampleMail=John.Doe@example.net,dc=example,dc=net
netExampleMail: John.Doe@example.net
netExampleEnable: TRUE
Now I want to give a user the right to modify the netExampleEnable
attribute for an address if his rfc822Mailbox matches the netExampleMail
of the address.
After banging my head on the documentation for one day, I came to the
conclusion that I had to use the set keyword. Here is what I tried:
access to dn.regex="netExampleMail=([^,]+),dc=example,dc=net"
by set.expand=[ldap://localhost/dc=example,dc=net?dn?sub?rfc822Mailbox=$1]
write
by * read
The access is always granted, whatever address entry an user attempt to
modify.
Worse: the URI dereferencing is ignored: replacing the LDAP host by an IP
address that has no LDAP service cause no error. Running tcpdump shows
that no attempt was made to connect to the LDAP service.
Here is the log output:
=> acl_mask: access to entry "netExampleMail=Random.User@example.net,dc=example,dc=net", attr "netExampleEnable" requested
=> acl_mask: to all values by "cn=jdoe,ou=sales,dc=example,dc=net", (=0)
<= check a_set_pat: [ldap://example.net/dc=example,dc=net?dn?sub?rfc822mailbox=$1]
<= acl_mask: [1] applying write(=wrscxd) (stop)
<= acl_mask: [1] mask: write(=wrscxd)
=> access_allowed: delete access granted by write(=wrscxd)
--
Emmanuel Dreyfus
manu@netbsd.org