[...]
> Cosa non vedo, stavolta?
stavolta il problema era slapacl.
Se uno (tonto) usa l'opzione -u allora se ci sono delle regole che
dipendono dal contenuto della entry chiaramente non puo' esserci match.
Lo dice anche il man:
-u do not fetch the entry from the database. In this case, if the
entry does not exist, a fake entry with the DN given with the -b
option is used, with no attributes. As a consequence, those
rules that depend on the contents of the target object will not
behave as with the real object. The DN given with the -b option
is still used to select what rules apply; thus, it must be in
the naming context of a configured database. See also -b.
Quindi, ricapitolando:
olcAccess: {5}to dn.subtree="ou=groups,dc=example,dc=com"
by
group/groupOfNames/member.exact="cn=grouper,ou=groups,dc=example,dc=com"
write
by
group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com"
read
by dnattr=member read
by * none
va bene, ma va testata con:
sudo /usr/sbin/slapacl -d128 -v -F /etc/ldap/slapd.d/ -b
cn=cesia,ou=groups,dc=example,dc=com -D
uid=tizio,ou=people,dc=example,dc=com member/read
ciao,
Francesco
_______________________________________________
OpenLDAP mailing list
OpenLDAP@mail.sys-net.it
https://www.sys-net.it/mailman/listinfo/openldap
