[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: set.regex and substring substitution



Hi Aaron,

Isn't it the same as setting loglevel 128 (access control list
processing) in /etc/openldap/slapd.conf ?

This is the slapd.access acl:
access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$"
  by set.regex="user/allowedDomain & $2" write


These are the logs:
slapd[19439]: => access_allowed: add access to
"mail=teste2@example.com.br,ou=example.com.br,ou=Mail,o=example,c=BR"
"entry" requested
slapd[19439]: => dnpat: [1] .*,ou=User,o=example,c=BR nsub: 0
slapd[19439]: => dnpat: [2] .*,ou=User,o=example,c=BR nsub: 0
slapd[19439]: => dnpat: [3]
^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$ nsub: 2
slapd[19439]: => acl_get: [3] matched
slapd[19439]: => acl_get: [3] attr entry
slapd[19439]: => acl_mask: access to entry
"mail=teste2@example.com.br,ou=example.com.br,ou=Mail,o=example,c=BR",
attr "entry" requested
slapd[19439]: => acl_mask: to all values by
"uid=ronie,ou=user,o=example,c=br", (=0)
slapd[19439]: <= check a_set_pat: user/allowedDomain & $2
slapd[19439]: => bdb_entry_get: found entry:
"uid=ronie,ou=user,o=example,c=br"
slapd[19439]: <= acl_mask: [4] applying read(=rscxd) (stop)
slapd[19439]: <= acl_mask: [4] mask: read(=rscxd)
slapd[19439]: => slap_access_allowed: add access denied by read(=rscxd)
slapd[19439]: => access_allowed: no more rules



Thanks,
Ronie


-------- Original Message  --------
Subject: Re: set.regex and substring substitution
From: Aaron Richton <richton@nbcs.rutgers.edu>
To: Ronie Gilberto Henrich <ronie@ronie.com.br>
Cc: openldap-software@openldap.org
Date: Wed Sep 16 2009 13:45:00 GMT-0300

On Tue, 15 Sep 2009, Ronie Gilberto Henrich wrote:

I think you mean "slapacl -D"

No, I mean "slapd -d acl", not to say that slapacl isn't useful too. The
key to slapacl is knowing what the proper input should be, and history
has shown that "slapd -d acl" often proves enlightening to discovering
the actual input to the ACL rules.

Also, if you post relevant parts of "slapd -d acl" output to the list,
it'll be a LOT easier than us having to try to divine (possibly quite
relevant) DIT details.