Hi all
I have tested acl of OpenLdap 2.4 by using following code in
slapd.conf
access to dn.subtree="ou=System,dc=example,dc=com"
by
group/groupOfUniqueNames/uniqueMember.regex="cn=[^,]+,ou=Groups,dc=example,dc=com"
write
by users read
In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com
but from log message which is shown below a dn does not match pattern
cn=[^,]+,ou=Groups,dc=example,dc=com because it get read
permission.After that I change acl to
access to dn.subtree="ou=System,dc=example,dc=com"
by
group/groupOfUniqueNames/uniqueMember.regex="cn=LdapAdmins,ou=Groups,dc=example,dc=com"
write
by users read
It work correctly by get write permission
Because I use group/groupOfUniqueNames/uniqueMember.regex .It should
treat "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular expression
pattern but seem that it just exact pattern.Why? Who can explain?
Log level 128
=> access_allowed: read access to
"uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> slap_access_allowed: result not in cache (objectClass)
=> acl_mask: access to entry
"uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0)
<= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com
/=> acl_string_expand: pattern: cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com/
<= check a_dn_pat: users
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
