Re: Openldap Group ACL - openldap-software

9 Aug 2009


      On 07/08/2009 22:36, Jittinan Suwanrueangsri wrote:
...
Hi all
I have tested acl of OpenLdap 2.4  by  using  following code  in
slapd.conf
access to dn.subtree="ou=System,dc=example,dc=com"
         by
group/groupOfUniqueNames/uniqueMember.regex="cn=[^,]+,ou=Groups,dc=example,dc=com"
write
         by users read
In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com
but from log message which is shown below a dn does not match pattern
cn=[^,]+,ou=Groups,dc=example,dc=com because it get read
permission.After that I change acl to
access to dn.subtree="ou=System,dc=example,dc=com"
         by
group/groupOfUniqueNames/uniqueMember.regex="cn=LdapAdmins,ou=Groups,dc=example,dc=com"
write
         by users read
It work correctly by get write permission
Because I use group/groupOfUniqueNames/uniqueMember.regex .It should
treat "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular expression
pattern but seem that it just exact pattern.Why? Who can explain?
According to slapd.access(5), regex expansion is not supported for the 
group clause in ACLs.
Only submatch replacement is possible.
To implement this access policy, you may want to check out sets. See
http://www.openldap.org/faq/data/cache/1133.html
Regards,
Jonathan
...
Log level 128
=> access_allowed: read access to
"uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> slap_access_allowed: result not in cache (objectClass)
=> acl_mask: access to entry
"uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0)
<= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com
/=> acl_string_expand: pattern:  cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com/
<= check a_dn_pat: users
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
-- 
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------