[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl problem

To: Bernhard D Rohrer <graylion@sm-wg.net>
Subject: Re: acl problem
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 12 Apr 2007 17:32:40 +0200
Cc: openldap-software@openldap.org
In-reply-to: <461E20A1.1010205@sm-wg.net>
References: <461E20A1.1010205@sm-wg.net>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Bernhard D Rohrer wrote:

access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        by dn="uid=$1,ou=users,dc=graylion,dc=net" write
        by dn.regex="cn=admin,dc=graylion,dc=net" read
        by users none

This rule is bogus:

	by dn="uid=$1,ou=users,dc=graylion,dc=net" write

matches a DN exactly containing the literal "uid=$1,ou=users,dc=graylion,dc=net" (the default style has been "exact" for quite a long time);

	by dn.regex="cn=admin,dc=graylion,dc=net" read

uses a regex to match an exact value, which means that a DN __containing__ "cn=admin,dc=graylion,dc=net" (e.g. "cn=admin,dc=graylion,dc=network") would match as well;

	by users none

is not necessary since anything not matching the previous "by" clauses will get the default privileges, i.e. "none" (actually, the default privileges should now be "disclose", so an explicit "by * none" could be necessary to strictly enforce "none").

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

References:
- acl problem
  - From: Bernhard D Rohrer <graylion@sm-wg.net>

Prev by Date: Re: slapd crashing "randomly?"
Next by Date: Re: slapd crashing "randomly?"
Index(es):
- Chronological
- Thread