Hi Aaron,
Isn't it the same as setting loglevel 128 (access control list processing) in /etc/openldap/slapd.conf ?
This is the slapd.access acl: access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.regex="user/allowedDomain & $2" write
These are the logs: slapd[19439]: => access_allowed: add access to "mail=teste2@example.com.br,ou=example.com.br,ou=Mail,o=example,c=BR" "entry" requested slapd[19439]: => dnpat: [1] .*,ou=User,o=example,c=BR nsub: 0 slapd[19439]: => dnpat: [2] .*,ou=User,o=example,c=BR nsub: 0 slapd[19439]: => dnpat: [3] ^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$ nsub: 2 slapd[19439]: => acl_get: [3] matched slapd[19439]: => acl_get: [3] attr entry slapd[19439]: => acl_mask: access to entry "mail=teste2@example.com.br,ou=example.com.br,ou=Mail,o=example,c=BR", attr "entry" requested slapd[19439]: => acl_mask: to all values by "uid=ronie,ou=user,o=example,c=br", (=0) slapd[19439]: <= check a_set_pat: user/allowedDomain & $2 slapd[19439]: => bdb_entry_get: found entry: "uid=ronie,ou=user,o=example,c=br" slapd[19439]: <= acl_mask: [4] applying read(=rscxd) (stop) slapd[19439]: <= acl_mask: [4] mask: read(=rscxd) slapd[19439]: => slap_access_allowed: add access denied by read(=rscxd) slapd[19439]: => access_allowed: no more rules
Thanks, Ronie
-------- Original Message -------- Subject: Re: set.regex and substring substitution From: Aaron Richton richton@nbcs.rutgers.edu To: Ronie Gilberto Henrich ronie@ronie.com.br Cc: openldap-software@openldap.org Date: Wed Sep 16 2009 13:45:00 GMT-0300
On Tue, 15 Sep 2009, Ronie Gilberto Henrich wrote:
I think you mean "slapacl -D"
No, I mean "slapd -d acl", not to say that slapacl isn't useful too. The key to slapacl is knowing what the proper input should be, and history has shown that "slapd -d acl" often proves enlightening to discovering the actual input to the ACL rules.
Also, if you post relevant parts of "slapd -d acl" output to the list, it'll be a LOT easier than us having to try to divine (possibly quite relevant) DIT details.