[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL short hand notation @objectClass has side effects



I have again trouble understanding ACLs:

Consider the following schema:
objectclass ( acmeLDAP:4.2
  NAME 'acmeUserLimits'
  DESC 'Limits for acme Users'
  SUP top AUXILIARY
  MAY ( limitMaxUserProc $ limitMaxCpuTime $ limitMaxOpenFiles $
    limitMaxCorefileSize $ limitMaxStackSize $ limitMaxMemorySize $
    limitMaxVirtualMemory $ limitMaxDatasegSize $ limitMaxPipeSize $
    limitMaxFileLocks $ userAttrChanged ) )

and the following ACL:
[...]
access to dn.subtree="ou=people,ou=unix,dc=acme,dc=org"
attrs=limitMaxUserProc,limitMaxCpuTime,limitMaxOpenFiles,limitMaxCorefileSize,limitMaxStackSize,limitMaxMemorySize,limitMaxVirtualMemory,limitMaxDatasegSize,limitMaxPipeSize,limitMaxFileLocks,userAttrChanged
   by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
   by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" write
   by self read
   by * none
[...]

This one works, it lets users authenticate, and restricts access to the
attributes mentioned. Now as the attribute list is a bit long, I thought I could replace it with the short hand notation: access to dn.subtree="ou=people,ou=unix,dc=acme,dc=org" attrs=@acmeUserLimits
(since all listet attributes are only in acmeUserLimits).

Unfortunatly this does not work, it blocks users from loggin in (via ssh). One time I got the message "Permissions on the password database may be too restrictive." Obviously the shorthand notation affects other attributes as well. But looking at the object class definition, I don't see why. Can any one enlighten me about this?

Isaac