Bernhard D Rohrer wrote:
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$" by dn="uid=$1,ou=users,dc=graylion,dc=net" write by dn.regex="cn=admin,dc=graylion,dc=net" read by users none
This rule is bogus:
by dn="uid=$1,ou=users,dc=graylion,dc=net" write
matches a DN exactly containing the literal "uid=$1,ou=users,dc=graylion,dc=net" (the default style has been "exact" for quite a long time);
by dn.regex="cn=admin,dc=graylion,dc=net" read
uses a regex to match an exact value, which means that a DN __containing__ "cn=admin,dc=graylion,dc=net" (e.g. "cn=admin,dc=graylion,dc=network") would match as well;
by users none
is not necessary since anything not matching the previous "by" clauses will get the default privileges, i.e. "none" (actually, the default privileges should now be "disclose", so an explicit "by * none" could be necessary to strictly enforce "none").
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------