[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Question 'write stop' 'write break'
slapd -d acl (or the same through loglevel directives) is really helpful
if you're not already using that...
First off, "attr=" is not preferred, please see slapd.access man page.
This should be logged at LDAP_DEBUG_ANY; are you reading your startup
logs? You might as well do a "slaptest -d config" while you're at it, to
make sure everything is clean.
So when you uncomment your first stanza and consider the second stanza
too:
access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
attrs=userPassword,accountstatus
by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break
by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break
access to attr=userPassword
by self write
by anonymous auth
by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read
by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read
by * none
you're not giving john@ and sara@ your desired write access? I think that
although rule #1 may will fire and grant them write, rule #2 has "to *" as
the implicit target (IMO a best practice is to write these out), so it
will fire as well. The first four <by> will not apply to john@ and sara@,
so the final <by> will fire ... by * none. ACL #1 giveth, ACL #2 taketh
away. I think a first consideration would be giving john@ and sara@ "write
stop" instead of "write break" -- the break means to continue evaluation,
whereas "stop" will not let ACL #2 remove the effect of ACL #1.
by * break
Also IMO best practice, "by * none break" (or whatever level you want) to
make the level explicit. And you'll obviously need to keep this; otherwise
.*managed will never be able to auth (they have to get to ACL #2 <by> #2
by means of a "break" or ACL reordering).