[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL short hand notation @objectClass has side effects
- To: openldap-technical@openldap.org
- Subject: ACL short hand notation @objectClass has side effects
- From: Isaac Hailperin <hailperin@zib.de>
- Date: Mon, 22 Nov 2010 11:49:52 +0100
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
I have again trouble understanding ACLs:
Consider the following schema:
objectclass ( acmeLDAP:4.2
NAME 'acmeUserLimits'
DESC 'Limits for acme Users'
SUP top AUXILIARY
MAY ( limitMaxUserProc $ limitMaxCpuTime $ limitMaxOpenFiles $
limitMaxCorefileSize $ limitMaxStackSize $ limitMaxMemorySize $
limitMaxVirtualMemory $ limitMaxDatasegSize $ limitMaxPipeSize $
limitMaxFileLocks $ userAttrChanged ) )
and the following ACL:
[...]
access to dn.subtree="ou=people,ou=unix,dc=acme,dc=org"
attrs=limitMaxUserProc,limitMaxCpuTime,limitMaxOpenFiles,limitMaxCorefileSize,limitMaxStackSize,limitMaxMemorySize,limitMaxVirtualMemory,limitMaxDatasegSize,limitMaxPipeSize,limitMaxFileLocks,userAttrChanged
by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" write
by self read
by * none
[...]
This one works, it lets users authenticate, and restricts access to the
attributes mentioned. Now as the attribute list is a bit long, I thought
I could replace it with the short hand notation:
access to dn.subtree="ou=people,ou=unix,dc=acme,dc=org"
attrs=@acmeUserLimits
(since all listet attributes are only in acmeUserLimits).
Unfortunatly this does not work, it blocks users from loggin in (via
ssh). One time I got the message "Permissions on the password database
may be too restrictive."
Obviously the shorthand notation affects other attributes as well. But
looking at the object class definition, I don't see why. Can any one
enlighten me about this?
Isaac