Hello.
Reading the OpenLDAP 2.3 documentation on http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control, I find the following:
<access directive> ::= access to <what> [by <who> <access> <control>]+ <what> ::= * | [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] [filter=<ldapfilter>] [attrs=<attrlist>] <basic-style> ::= regex | exact <scope-style> ::= base | one | subtree | children <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist> <attr> ::= <attrname> | entry | children <who> ::= * | [anonymous | users | self | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] [dnattr=<attrname>] [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>] [peername[.<basic-style>]=<regex>] [sockname[.<basic-style>]=<regex>] [domain[.<basic-style>]=<regex>] [sockurl[.<basic-style>]=<regex>] [set=<setspec>] [aci=<attrname>] <access> ::= [self]{<level>|<priv>} <level> ::= none | auth | compare | search | read | write <priv> ::= {=|+|-}{w|r|s|c|x|0}+ <control> ::= [stop | continue | break]
I'm particularly interested in the "what" clause:
<what> ::= * | [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
I understand the term "dn[.<basic-style>]" so, that ".<basic-style>" is optional and can be left out; ie. there's no need to write ".regex" or ".exact".
But when I write "access to dn=".*,dc=mylan,dc=net" attr=userPassword" in my slapd.conf, I cannot start slapd:
Apr 5 13:09:51 winds06 slapd[11740]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $ Apr 5 13:09:51 winds06 asmoore@ra Apr 5 13:09:51 winds06 slapd[11740]: [ID 933944 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: "attr" is deprecated (and undocumented); use "attrs" instead. Apr 5 13:09:51 winds06 slapd[11740]: [ID 868080 local4.debug] /opt/csw/etc/openldap/slapd.conf: line 81: bad DN ".*,dc=mylan,dc=net" in to DN clause Apr 5 13:09:51 winds06 slapd[11740]: [ID 583609 local4.debug] <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ Apr 5 13:09:51 winds06 unparseable log message: "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]" Apr 5 13:09:51 winds06 unparseable log message: "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>" Apr 5 13:09:51 winds06 unparseable log message: "<attrlist> ::= <attr> [ , <attrlist> ]" Apr 5 13:09:51 winds06 unparseable log message: "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children" Apr 5 13:09:51 winds06 unparseable log message: "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]" Apr 5 13:09:51 winds06 [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] Apr 5 13:09:51 winds06 [dnattr=<attrname>] Apr 5 13:09:51 winds06 [realdnattr=<attrname>] Apr 5 13:09:51 winds06 [group[/<objectclass>[/<attrname>]][.<style>]=<group>] Apr 5 13:09:51 winds06 [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] Apr 5 13:09:51 winds06 [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] Apr 5 13:09:51 winds06 [aci[=<attrname>]] Apr 5 13:09:51 winds06 [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] Apr 5 13:09:51 winds06 unparseable log message: "<style> ::= exact | regex | base(Object)" Apr 5 13:09:51 winds06 unparseable log message: "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex" Apr 5 13:09:51 winds06 unparseable log message: "<attrstyle> ::= exact | regex | base(Object) | on" Apr 5 13:09:51 winds06 slapd[11740]: [ID 486161 local4.debug] slapd stopped. Apr 5 13:09:51 winds06 slapd[11740]: [ID 432338 local4.debug] connections_destroy: nothing to destroy.
It seems to me, that ".regex" or ".exact" is required, because when I write "access to dn.regex=".*,dc=mylan,dc=net" attr=userPassword" in my slapd.conf, I can start slapds just fine.
Is this intended?
I'm using OpenLDAP 2.3.31 on Solaris 10 (BTW: Why does the first quoted line of the syslog excerpt say "@(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:08:47) $"?)
Best regards,
Alexander Skwar