[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acl problem
Bernhard D Rohrer wrote:
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
by dn="uid=$1,ou=users,dc=graylion,dc=net" write
by dn.regex="cn=admin,dc=graylion,dc=net" read
by users none
This rule is bogus:
by dn="uid=$1,ou=users,dc=graylion,dc=net" write
matches a DN exactly containing the literal
"uid=$1,ou=users,dc=graylion,dc=net" (the default style has been "exact"
for quite a long time);
by dn.regex="cn=admin,dc=graylion,dc=net" read
uses a regex to match an exact value, which means that a DN
__containing__ "cn=admin,dc=graylion,dc=net" (e.g.
"cn=admin,dc=graylion,dc=network") would match as well;
by users none
is not necessary since anything not matching the previous "by" clauses
will get the default privileges, i.e. "none" (actually, the default
privileges should now be "disclose", so an explicit "by * none" could be
necessary to strictly enforce "none").
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------
- References:
- acl problem
- From: Bernhard D Rohrer <graylion@sm-wg.net>