Re: set.regex and substring substitution
Buon giorno Pierangelo, The [] around the $2 solved this problem. Grazie, Ronie Original Message Subject: Re: set.regex and substring substitution From: Pierangelo Masarati To: ro...@ronie.com.br Cc: openldap-software@openldap.org Date: Thu Sep 17 2009 07:02:23 GMT-0300 Try access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.regex="user/allowedDomain & [$2]" write since the domain, after regex expansion, should be treated as a literal. Moreover, access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.expand="user/allowedDomain & [$2]" write should be more appropriate. p.
Re: set.regex and substring substitution
On Wed, 16 Sep 2009, Ronie Gilberto Henrich wrote: Isn't it the same as setting loglevel 128 (access control list processing) in /etc/openldap/slapd.conf ? Yes, that should have the same effect... slapd[19439]: <= check a_set_pat: user/allowedDomain & $2 As Pierangelo pointed out, that's the next thing to tweak.
Re: set.regex and substring substitution
Ronie Gilberto Henrich wrote: Hi Aaron, Isn't it the same as setting loglevel 128 (access control list processing) in /etc/openldap/slapd.conf ? This is the slapd.access acl: access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.regex="user/allowedDomain & $2" write Try access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.regex="user/allowedDomain & [$2]" write since the domain, after regex expansion, should be treated as a literal. Moreover, access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.expand="user/allowedDomain & [$2]" write should be more appropriate. p.
Re: set.regex and substring substitution
Hi Aaron, Isn't it the same as setting loglevel 128 (access control list processing) in /etc/openldap/slapd.conf ? This is the slapd.access acl: access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$" by set.regex="user/allowedDomain & $2" write These are the logs: slapd[19439]: => access_allowed: add access to "mail=tes...@example.com.br,ou=example.com.br,ou=Mail,o=example,c=BR" "entry" requested slapd[19439]: => dnpat: [1] .*,ou=User,o=example,c=BR nsub: 0 slapd[19439]: => dnpat: [2] .*,ou=User,o=example,c=BR nsub: 0 slapd[19439]: => dnpat: [3] ^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$ nsub: 2 slapd[19439]: => acl_get: [3] matched slapd[19439]: => acl_get: [3] attr entry slapd[19439]: => acl_mask: access to entry "mail=tes...@example.com.br,ou=example.com.br,ou=Mail,o=example,c=BR", attr "entry" requested slapd[19439]: => acl_mask: to all values by "uid=ronie,ou=user,o=example,c=br", (=0) slapd[19439]: <= check a_set_pat: user/allowedDomain & $2 slapd[19439]: => bdb_entry_get: found entry: "uid=ronie,ou=user,o=example,c=br" slapd[19439]: <= acl_mask: [4] applying read(=rscxd) (stop) slapd[19439]: <= acl_mask: [4] mask: read(=rscxd) slapd[19439]: => slap_access_allowed: add access denied by read(=rscxd) slapd[19439]: => access_allowed: no more rules Thanks, Ronie Original Message Subject: Re: set.regex and substring substitution From: Aaron Richton To: Ronie Gilberto Henrich Cc: openldap-software@openldap.org Date: Wed Sep 16 2009 13:45:00 GMT-0300 On Tue, 15 Sep 2009, Ronie Gilberto Henrich wrote: I think you mean "slapacl -D" No, I mean "slapd -d acl", not to say that slapacl isn't useful too. The key to slapacl is knowing what the proper input should be, and history has shown that "slapd -d acl" often proves enlightening to discovering the actual input to the ACL rules. Also, if you post relevant parts of "slapd -d acl" output to the list, it'll be a LOT easier than us having to try to divine (possibly quite relevant) DIT details.
Re: set.regex and substring substitution
I think you mean "slapacl -D" I am already using it to debug the acl's. Original Message -------- Subject: Re: set.regex and substring substitution From: Aaron Richton To: Ronie Gilberto Henrich Cc: openldap-software@openldap.org Date: Tue Sep 15 2009 12:15:17 GMT-0300 On Tue, 15 Sep 2009, Ronie Gilberto Henrich wrote: Any ideas about what I should do for this to work? Start with "slapd -d acl" and go from there...
Re: set.regex and substring substitution
On Tue, 15 Sep 2009, Ronie Gilberto Henrich wrote: I think you mean "slapacl -D" No, I mean "slapd -d acl", not to say that slapacl isn't useful too. The key to slapacl is knowing what the proper input should be, and history has shown that "slapd -d acl" often proves enlightening to discovering the actual input to the ACL rules. Also, if you post relevant parts of "slapd -d acl" output to the list, it'll be a LOT easier than us having to try to divine (possibly quite relevant) DIT details.
Re: set.regex and substring substitution
On Tue, 15 Sep 2009, Ronie Gilberto Henrich wrote: Any ideas about what I should do for this to work? Start with "slapd -d acl" and go from there...