Hi ! First of all, thanks for the answers ;-))
Yes, it is true, I had a mistake with the nomenclature. The fact is that the problem is NOT (as far as I tested it) in the regular expressions I am using (I also checked it tracing the slapd execution with the "-d 128" option ... an checked the matching is ok). I find the problem with the "read" access privilege for "data1checker" user. > ## > ## Policy Rule [1] > ## Access to "application=data1,,..." entries > ## > access to dn.regex="appName=data1,.+$" > by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop > by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop > by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop "uid=data1owner" is able to read an modify attributes values in entries matching this regular expression (it is ok) ... but it is exactely the same behaviour a "uid=data1checker" in spite this last one has ONLY read privileges (???) I interpreted (after reading manual pages and openldap-related FAQs) that "read" privilege only allows to read (but NOT modify) attribute values for entries matching the rule .. but it is NOT what I am getting ... Am I understanding "read" privilege worngly ? Thanks in advance BR / Antonio P.S: I also tested with openLDAP3.2.8, but it is the same behaviour ... and I almost sure the error is NOT in the regexp being used (I was testing it in deep to be sure about that). -----Original Message----- From: Quanah Gibson-Mount [mailto:[EMAIL PROTECTED] Sent: viernes, 14 de marzo de 2008 21:46 To: Michael Ströder; Antonio Alonso Cc: [email protected] Subject: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries --On Friday, March 14, 2008 1:41 PM +0100 Michael Ströder <[EMAIL PROTECTED]> wrote: > Antonio Alonso wrote: >> >> I need some help with a pair of ACIs I have prepared (using >> openldap >> 2.4.7 in a SuSE9 server) > > Note that ACI support does not get this much attention by the > developers like ACLs in slapd.conf. So I'd rather recommend to do want > you want with ACLs. This definitely is possible. See examples for > regex-based ACLs in the FAQ-O-MATIC: He was using ACLs. He just called them ACI's. You may want to read his entire email. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
