[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access Control: Limiting based on regex
Hello.
Reading the OpenLDAP 2.3 documentation on http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control,
I find the following:
<access directive> ::= access to <what>
[by <who> <access> <control>]+
<what> ::= * |
[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
[filter=<ldapfilter>] [attrs=<attrlist>]
<basic-style> ::= regex | exact
<scope-style> ::= base | one | subtree | children
<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
<attr> ::= <attrname> | entry | children
<who> ::= * | [anonymous | users | self
| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
[peername[.<basic-style>]=<regex>]
[sockname[.<basic-style>]=<regex>]
[domain[.<basic-style>]=<regex>]
[sockurl[.<basic-style>]=<regex>]
[set=<setspec>]
[aci=<attrname>]
<access> ::= [self]{<level>|<priv>}
<level> ::= none | auth | compare | search | read | write
<priv> ::= {=|+|-}{w|r|s|c|x|0}+
<control> ::= [stop | continue | break]
I'm particularly interested in the "what" clause:
<what> ::= * |
[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
I understand the term "dn[.<basic-style>]" so, that ".<basic-style>"
is optional and can be left out; ie. there's no need to write
".regex" or ".exact".
But when I write "access to dn=".*,dc=mylan,dc=net" attr=userPassword"
in my slapd.conf, I cannot start slapd:
Apr 5 13:09:51 winds06 slapd[11740]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $
Apr 5 13:09:51 winds06 asmoore@ra
Apr 5 13:09:51 winds06 slapd[11740]: [ID 933944 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: "attr" is deprecated (and undocumented); use "attrs" instead.
Apr 5 13:09:51 winds06 slapd[11740]: [ID 868080 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: bad DN ".*,dc=mylan,dc=net" in to DN clause
Apr 5 13:09:51 winds06 slapd[11740]: [ID 583609 local4.debug] <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
Apr 5 13:09:51 winds06 unparseable log message: "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]"
Apr 5 13:09:51 winds06 unparseable log message: "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>"
Apr 5 13:09:51 winds06 unparseable log message: "<attrlist> ::= <attr> [ , <attrlist> ]"
Apr 5 13:09:51 winds06 unparseable log message: "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children"
Apr 5 13:09:51 winds06 unparseable log message: "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]"
Apr 5 13:09:51 winds06 [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
Apr 5 13:09:51 winds06 [dnattr=<attrname>]
Apr 5 13:09:51 winds06 [realdnattr=<attrname>]
Apr 5 13:09:51 winds06 [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
Apr 5 13:09:51 winds06 [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
Apr 5 13:09:51 winds06 [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
Apr 5 13:09:51 winds06 [aci[=<attrname>]]
Apr 5 13:09:51 winds06 [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
Apr 5 13:09:51 winds06 unparseable log message: "<style> ::= exact | regex | base(Object)"
Apr 5 13:09:51 winds06 unparseable log message: "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex"
Apr 5 13:09:51 winds06 unparseable log message: "<attrstyle> ::= exact | regex | base(Object) | on"
Apr 5 13:09:51 winds06 slapd[11740]: [ID 486161 local4.debug] slapd stopped.
Apr 5 13:09:51 winds06 slapd[11740]: [ID 432338 local4.debug] connections_destroy: nothing to destroy.
It seems to me, that ".regex" or ".exact" is required, because when
I write "access to dn.regex=".*,dc=mylan,dc=net" attr=userPassword"
in my slapd.conf, I can start slapds just fine.
Is this intended?
I'm using OpenLDAP 2.3.31 on Solaris 10 (BTW: Why does the first quoted
line of the syslog excerpt say "@(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $"?)
Best regards,
Alexander Skwar