Hi List,
just another short question regarding incremental privileges, given the following acl:
access to dn.subtree="o=test" attrs=description by self =dxcsraz continue by users -z by * none
Subtracting "z" results in the access mask "=dxcsr". As I expected the resulting access mask to be "=dxcsra", I would like to know whether "=dxcsr" is the correct result, and if so, why?
Many thanks again!
A small testbed containing sample ldif data, ldapmodify test command and the produced slapd.log (level 128) follows here:
sample ldif data: ===============
dn: o=test objectClass: organization objectClass: top o: test
dn: ou=persons,o=test objectClass: organizationalUnit objectClass: top ou: persons
dn: cn=PersonA,ou=persons,o=test objectClass: person objectClass: top cn: PersonA sn: PersonA userPassword:: UGVyc29uQQ==
test command using ldapmodify: ============================= deepee@test:~$ /opt/openldap-acl/bin/ldapmodify -x -H "ldap://localhost:1389" -D "cn=PersonA,ou=persons,o=test" -w PersonA <<EOF dn: cn=PersonA,ou=persons,o=test changetype: modify add: description description: PersonA1 EOF modifying entry "cn=PersonA,ou=persons,o=test" ldap_modify: Insufficient access (50)
slapd.log level 128: ================= 501fb8b7 => access_allowed: result not in cache (userPassword) 501fb8b7 => access_allowed: auth access to "cn=PersonA,ou=persons,o=test" "userPassword" requested 501fb8b7 => dn: [1] o=test 501fb8b7 => acl_get: [1] matched 501fb8b7 => acl_get: [2] attr userPassword 501fb8b7 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "userPassword" requested 501fb8b7 => acl_mask: to value by "", (=0) 501fb8b7 <= check a_dn_pat: self 501fb8b7 <= check a_dn_pat: users 501fb8b7 <= check a_dn_pat: anonymous 501fb8b7 <= acl_mask: [3] applying auth(=xd) (stop) 501fb8b7 <= acl_mask: [3] mask: auth(=xd) 501fb8b7 => slap_access_allowed: auth access granted by auth(=xd) 501fb8b7 => access_allowed: auth access granted by auth(=xd) 501fb8b7 => access_allowed: result not in cache (description) 501fb8b7 => access_allowed: add access to "cn=PersonA,ou=persons,o=test" "description" requested 501fb8b7 => dn: [1] o=test 501fb8b7 => acl_get: [1] matched 501fb8b7 => acl_get: [1] attr description 501fb8b7 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "description" requested 501fb8b7 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0) 501fb8b7 <= check a_dn_pat: self 501fb8b7 <= acl_mask: [1] applying =wrscxd (continue) 501fb8b7 <= acl_mask: [1] mask: =wrscxd 501fb8b7 <= check a_dn_pat: users 501fb8b7 <= acl_mask: [2] applying -z (stop) 501fb8b7 <= acl_mask: [2] mask: =rscxd 501fb8b7 => slap_access_allowed: add access denied by =rscxd 501fb8b7 => access_allowed: no more rules
BTW: Replacing the first by clause using "self write" or "self =dxcsrw", also results in "=dxcsr" JFF: Replacing the second by clause using "users -a", the test results in the above mask (=dxcsr), too.