Re[2]: slapd-meta and acls

[Irina Shetuhina <irka@masterhost.ru>]

ÐÐÐÑÑÐ ÐÐÐÑ.

> Dmitriy Kirhlarov <dimma@higis.ru> writes:

>> Hi list.
>>
>> I'll try to ask again. :)
>>
>> We are want use slapd-meta for aggregate several databases to one
>> DIT. We are suppose, users will read and write "o=vega" (virtual)
>> suffix. Members of cn=sysadmins should have write access to all db
>> objects.
>> Also, we would like to use ACL's per-databases, not global.
>>
>> Currently, write access to ou=devel doesn't work and we can't find
>> error in our acls.

> run slapd in debugging mode, that is slapd -dacl, to watch acl
> parsing. 

> -Dieter


I connect to "cn=root on devels hosts,ou=sudoers,ou=devel" as
"uid=ishetukhina,ou=users,o=vega".

acl:
access to dn.sub="ou=devel"
        by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
        by * read

"uid=ishetukhina,ou=users,o=vega" is in "cn=sysadmins,ou=groups,o=vega-main"

But I see in log:

Dec  1 18:54:40 ldap slapd[17667]: => acl_mask: access to entry "cn=root on devels hosts,ou=sudoers,ou=devel", attr "entry" requested
Dec  1 18:54:40 ldap slapd[17667]: => acl_mask: to all values by "", (=0)
Dec  1 18:54:40 ldap slapd[17667]: <= check a_dn_pat: *
Dec  1 18:54:40 ldap slapd[17667]: <= acl_mask: [2] applying read(=rscxd) (stop)
Dec  1 18:54:40 ldap slapd[17667]: <= acl_mask: [2] mask: read(=rscxd)

Why do [2] work?


-- 
Ð ÑÐÐÐÐÐÐÐÐ,
ÐÑÐÐÐ ÐÐÑÑÑÐÐÐ