Mandi! Marco D'Ettorre
In chel di` si favelave...
> >Sbagli, perchè per gli accessi come rootdn le acl non vengono affatto
> >prese in considerazione.
> *NON* sbagli, ovviamente... :)
Ah, ecco, iniziavo ad avere inconsistenze interne... ad ogni modo non
va, attacco il log:
Sep 24 11:09:23 invernomuto slapd[19734]: => access_allowed: delete access to
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it" "telephoneNumber" requested
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [1] attr telephoneNumber
Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state
(telephoneNumber)
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by
"uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0)
Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat:
cn=replica,dc=sv,dc=lnf,dc=it
Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: *
Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] applying (break)
Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] mask: =0
Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [2]
ou=aliases,dc=sv,dc=lnf,dc=it
Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [3]
ou=people,dc=sv,dc=lnf,dc=it
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [3] matched
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [3] attr telephoneNumber
Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state
(telephoneNumber)
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by
"uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0)
Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_set_pat:
([uid=]+[cn=ced,ou=Group,dc=sv,dc=lnf,dc=it]/memberUid+[,ou=People,dc=sv,dc=lnf,dc=it])
& user
Sep 24 11:09:23 invernomuto slapd[19734]: => bdb_entry_get: found entry:
"cn=ced,ou=group,dc=sv,dc=lnf,dc=it"
Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: *
Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] applying (break)
Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] mask: =0
Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [6]
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [7] attr telephoneNumber
Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state
(telephoneNumber)
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested
Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by
"uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0)
Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: *
Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [1] applying
read(=rscxd) (stop)
Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [1] mask: read(=rscxd)
Sep 24 11:09:23 invernomuto slapd[19734]: => access_allowed: delete access
denied by read(=rscxd)
A parte il fatto che non capisco perchè 'delete' (ma credo che sia
colpa del client, GQ, che probabilmente fa una 'delete' e poi una
'write' per modificare un campo), sembra non esserci match.
la mia ACL è:
access to dn.children="ou=People,dc=sv,dc=lnf,dc=it"
attrs=entry,@inetLocalMailRecipient,physicalDeliveryOfficeName,telephoneNumber,mail,description
by
set="([uid=]+[cn=ced,ou=Group,dc=sv,dc=lnf,dc=it]/memberUid+[,ou=People,dc=sv,dc=lnf,dc=it])
& user" write
by * break
mentre se metto:
access to dn.children="ou=People,dc=sv,dc=lnf,dc=it"
attrs=entry,@inetLocalMailRecipient,physicalDeliveryOfficeName,telephoneNumber,mail
by dn.exact="uid=gaio,ou=People,dc=sv,dc=lnf,dc=it" write
by * break
funziona perfettamente.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
_______________________________________________
OpenLDAP mailing list
[email protected]
https://www.sys-net.it/mailman/listinfo/openldap
