[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control: Limiting based on regex



Hello.

Reading the OpenLDAP 2.3 documentation on http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control,
I find the following:

        <access directive> ::= access to <what>
                [by <who> <access> <control>]+
        <what> ::= * |
                [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
                [filter=<ldapfilter>] [attrs=<attrlist>]
        <basic-style> ::= regex | exact
        <scope-style> ::= base | one | subtree | children
        <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
        <attr> ::= <attrname> | entry | children
        <who> ::= * | [anonymous | users | self
                        | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
                [dnattr=<attrname>]
                [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
                [peername[.<basic-style>]=<regex>]
                [sockname[.<basic-style>]=<regex>]
                [domain[.<basic-style>]=<regex>]
                [sockurl[.<basic-style>]=<regex>]
                [set=<setspec>]
                [aci=<attrname>]
        <access> ::= [self]{<level>|<priv>}
        <level> ::= none | auth | compare | search | read | write
        <priv> ::= {=|+|-}{w|r|s|c|x|0}+
        <control> ::= [stop | continue | break]


I'm particularly interested in the "what" clause:

        <what> ::= * |
                [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]

I understand the term "dn[.<basic-style>]" so, that ".<basic-style>"
is optional and can be left out; ie. there's no need to write
".regex" or ".exact".

But when I write "access to dn=".*,dc=mylan,dc=net" attr=userPassword"
in my slapd.conf, I cannot start slapd:

Apr  5 13:09:51 winds06 slapd[11740]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $
Apr  5 13:09:51 winds06         asmoore@ra
Apr  5 13:09:51 winds06 slapd[11740]: [ID 933944 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: "attr" is deprecated (and undocumented); use "attrs" instead.
Apr  5 13:09:51 winds06 slapd[11740]: [ID 868080 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: bad DN ".*,dc=mylan,dc=net" in to DN clause
Apr  5 13:09:51 winds06 slapd[11740]: [ID 583609 local4.debug] <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+
Apr  5 13:09:51 winds06 unparseable log message: "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]"
Apr  5 13:09:51 winds06 unparseable log message: "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>"
Apr  5 13:09:51 winds06 unparseable log message: "<attrlist> ::= <attr> [ , <attrlist> ]"
Apr  5 13:09:51 winds06 unparseable log message: "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children"
Apr  5 13:09:51 winds06 unparseable log message: "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]"
Apr  5 13:09:51 winds06         [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
Apr  5 13:09:51 winds06         [dnattr=<attrname>]
Apr  5 13:09:51 winds06         [realdnattr=<attrname>]
Apr  5 13:09:51 winds06         [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
Apr  5 13:09:51 winds06         [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
Apr  5 13:09:51 winds06         [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
Apr  5 13:09:51 winds06         [aci[=<attrname>]]
Apr  5 13:09:51 winds06         [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
Apr  5 13:09:51 winds06 unparseable log message: "<style> ::= exact | regex | base(Object)"
Apr  5 13:09:51 winds06 unparseable log message: "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex"
Apr  5 13:09:51 winds06 unparseable log message: "<attrstyle> ::= exact | regex | base(Object) | on"
Apr  5 13:09:51 winds06 slapd[11740]: [ID 486161 local4.debug] slapd stopped.
Apr  5 13:09:51 winds06 slapd[11740]: [ID 432338 local4.debug] connections_destroy: nothing to destroy.

It seems to me, that ".regex" or ".exact" is required, because when
I write "access to dn.regex=".*,dc=mylan,dc=net" attr=userPassword"
in my slapd.conf, I can start slapds just fine.

Is this intended?

I'm using OpenLDAP 2.3.31 on Solaris 10 (BTW: Why does the first quoted
line of the syslog excerpt say "@(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $"?)

Best regards,

Alexander Skwar