"Antonio Alonso" <[EMAIL PROTECTED]> writes: > Hi ! > > First of all, thanks for the answers ;-)) > > Yes, it is true, I had a mistake with the nomenclature. The fact is that > the > problem is NOT (as far as I tested it) in the regular expressions I am using > (I also checked it tracing the slapd execution with the "-d 128" option ... an > checked the matching is ok). > > I find the problem with the "read" access privilege for "data1checker" user. > >> ## >> ## Policy Rule [1] >> ## Access to "application=data1,,..." entries >> ## >> access to dn.regex="appName=data1,.+$" >> by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop >> by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop >> by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop > > > "uid=data1owner" is able to read an modify attributes values in entries > matching > this regular expression (it is ok) ... but it is exactely the same behaviour > a > "uid=data1checker" in spite this last one has ONLY read privileges (???) > > I interpreted (after reading manual pages and openldap-related FAQs) that > "read" > privilege only allows to read (but NOT modify) attribute values for entries > matching the rule .. but it is NOT what I am getting ... > > Am I understanding "read" privilege worngly ?
No, read access only includes auth and compare but not modify and add. If you run slapd with -d 128 let uid=data1checker add ore modify an entry and follow the access rules parsing, this will show you the access rule that is applied to this write session. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
