Hi !
First of all, thanks for the answers ;-))
Yes, it is true, I had a mistake with the nomenclature. The fact is that the problem is NOT (as far as I tested it) in the regular expressions I am using (I also checked it tracing the slapd execution with the "-d 128" option ... an checked the matching is ok).
I find the problem with the "read" access privilege for "data1checker" user.
## ## Policy Rule [1] ## Access to "application=data1,,..." entries ## access to dn.regex="appName=data1,.+$" by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
"uid=data1owner" is able to read an modify attributes values in entries matching this regular expression (it is ok) ... but it is exactely the same behaviour a "uid=data1checker" in spite this last one has ONLY read privileges (???)
I interpreted (after reading manual pages and openldap-related FAQs) that "read" privilege only allows to read (but NOT modify) attribute values for entries matching the rule .. but it is NOT what I am getting ...
Am I understanding "read" privilege worngly ?
Thanks in advance
BR / Antonio
P.S: I also tested with openLDAP3.2.8, but it is the same behaviour ... and I almost sure the error is NOT in the regexp being used (I was testing it in deep to be sure about that).
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: viernes, 14 de marzo de 2008 21:46 To: Michael Ströder; Antonio Alonso Cc: openldap-software@openldap.org Subject: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
--On Friday, March 14, 2008 1:41 PM +0100 Michael Ströder michael@stroeder.com wrote:
Antonio Alonso wrote:
I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)
Note that ACI support does not get this much attention by the developers like ACLs in slapd.conf. So I'd rather recommend to do want you want with ACLs. This definitely is possible. See examples for regex-based ACLs in the FAQ-O-MATIC:
He was using ACLs. He just called them ACI's. You may want to read his entire email.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration