Re: ACIs problem when allowing "read" but restricting "updates" in specific entries

Hi,

"Antonio Alonso" antonio.alonso@ericsson.com writes:

Hi !

I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)

I have created a DIT where several subscribers were provisioned. Under each subscriber entry there are two different entries ("application=data1" and "application=data2"):

    application=data1,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com
    application=data2,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com

And I have defined four different users (to bind to the system .. apart from the "rootdn", of course)

    - uid=data1owner,ou=users,dc=company,dc=com
            Can read and modify attribute values in "application=data1,

..." entries

    - uid=data2owner,ou=users,dc=company,dc=com
            Can read and modify attribute values in "application=data2,

..." entries

    - uid=data1checker,ou=users,dc=company,dc=com
            Can read attribute values in "application=data1, ..." entries

but can NOT modify them

    - uid=admin,ou=users,dc=company,dc=com
            Can read and modify attribute values in "application=data1,

..." and "application=data2, ..." entries

I have included the following ACIs in "slapd.conf" file (to get the behaviour explained above)

## ## Policy Rule [1] ## Access to "application=data1,,..." entries ## access to dn.regex="appName=data1,.+$" by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop

## ## Policy Rule [2] ## Access to "application=data2,..." entries ## access to dn.regex="application=data2,.+$" by dn.exact="uid=data2owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop

I am getting the desired behaviour except for the "uid=data1checker" user. He only see "application=data1" entries ("application=data2" are not visible for him) but he can ALSO modify attribute values in "application=data1" entries (i.e. it is exactely the same behaviour as "uid= data1owner" in spite of the first one having ONLY "read" access privileges and the second one "write" access privileges for the "application=data1, ..." entries (????)

Please, could you any of you help me with this issue.

run slapacl(8) and set debug level to 128

-Dieter