Re: Openldap Group ACL

Jonathan Clarke Mon, 10 Aug 2009 07:48:07 -0700

On 07/08/2009 22:36, Jittinan Suwanrueangsri wrote:

Hi all


I have tested acl of OpenLdap 2.4  by  using  following code  in
slapd.conf


access to dn.subtree="ou=System,dc=example,dc=com"
         by
group/groupOfUniqueNames/uniqueMember.regex="cn=[^,]+,ou=Groups,dc=example,dc=com"
write
         by users read


In my directory there is a dn: cn=LdapAdmins,ou=Groups,dc=example,dc=com
but from log message which is shown below a dn does not match pattern
cn=[^,]+,ou=Groups,dc=example,dc=com because it get read
permission.After that I change acl to

access to dn.subtree="ou=System,dc=example,dc=com"
         by
group/groupOfUniqueNames/uniqueMember.regex="cn=LdapAdmins,ou=Groups,dc=example,dc=com"
write
         by users read

It work correctly by get write permission

Because I use group/groupOfUniqueNames/uniqueMember.regex .It should
treat "cn=[^,]+,ou=Groups,dc=example,dc=com" as regular expression
pattern but seem that it just exact pattern.Why? Who can explain?

According to slapd.access(5), regex expansion is not supported for thegroup clause in ACLs.


Only submatch replacement is possible.

To implement this access policy, you may want to check out sets. See
http://www.openldap.org/faq/data/cache/1133.html

Regards,
Jonathan

Log level 128

=> access_allowed: read access to
"uid=authenticate,ou=System,dc=example,dc=com" "objectClass" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> slap_access_allowed: result not in cache (objectClass)
=> acl_mask: access to entry
"uid=authenticate,ou=System,dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to value by "uid=matt,ou=users,dc=example,dc=com", (=0)
<= check a_group_pat: cn=[^,]+,ou=Groups,dc=example,dc=com
/=> acl_string_expand: pattern:  cn=[^,]+,ou=Groups,dc=example,dc=com
=> acl_string_expand: expanded: cn=[^,]+,ou=Groups,dc=example,dc=com/
<= check a_dn_pat: users
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)



--
--------------------------------------------------------------
Jonathan Clarke - [email protected]
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

Re: Openldap Group ACL

Reply via email to