Hello

I have a problem with the set keyword in ACL.

Here is the setup. My directory has objects in two classes: persons and addresses

A person look like this: dn: cn=jdoe,ou=sales,dc=example,dc=net cn: jdoe rfc822Mailbox: John.Doe@example.net

An address look like this: dn: netExampleMail=John.Doe@example.net,dc=example,dc=net netExampleMail: John.Doe@example.net netExampleEnable: TRUE

Now I want to give a user the right to modify the netExampleEnable attribute for an address if his rfc822Mailbox matches the netExampleMail of the address.

After banging my head on the documentation for one day, I came to the conclusion that I had to use the set keyword. Here is what I tried:

access to dn.regex="netExampleMail=([^,]+),dc=example,dc=net" by set.expand=[ldap://localhost/dc=example,dc=net?dn?sub?rfc822Mailbox=$1] write by * read

The access is always granted, whatever address entry an user attempt to modify.

Worse: the URI dereferencing is ignored: replacing the LDAP host by an IP address that has no LDAP service cause no error. Running tcpdump shows that no attempt was made to connect to the LDAP service.

Here is the log output:

=> acl_mask: access to entry "netExampleMail=Random.User@example.net,dc=example,dc=net", attr "netExampleEnable" requested => acl_mask: to all values by "cn=jdoe,ou=sales,dc=example,dc=net", (=0) <= check a_set_pat: [ldap://example.net/dc=example,dc=net?dn?sub?rfc822mailbox=$1] <= acl_mask: [1] applying write(=wrscxd) (stop) <= acl_mask: [1] mask: write(=wrscxd) => access_allowed: delete access granted by write(=wrscxd)