Mandi! Marco D'Ettorre In chel di` si favelave... > >Sbagli, perchè per gli accessi come rootdn le acl non vengono affatto > >prese in considerazione. > *NON* sbagli, ovviamente... :)
Ah, ecco, iniziavo ad avere inconsistenze interne... ad ogni modo non va, attacco il log: Sep 24 11:09:23 invernomuto slapd[19734]: => access_allowed: delete access to "uid=gaio,ou=People,dc=sv,dc=lnf,dc=it" "telephoneNumber" requested Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [1] attr telephoneNumber Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state (telephoneNumber) Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry "uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by "uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0) Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: cn=replica,dc=sv,dc=lnf,dc=it Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: * Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] applying (break) Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] mask: =0 Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [2] ou=aliases,dc=sv,dc=lnf,dc=it Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [3] ou=people,dc=sv,dc=lnf,dc=it Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [3] matched Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [3] attr telephoneNumber Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state (telephoneNumber) Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry "uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by "uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0) Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_set_pat: ([uid=]+[cn=ced,ou=Group,dc=sv,dc=lnf,dc=it]/memberUid+[,ou=People,dc=sv,dc=lnf,dc=it]) & user Sep 24 11:09:23 invernomuto slapd[19734]: => bdb_entry_get: found entry: "cn=ced,ou=group,dc=sv,dc=lnf,dc=it" Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: * Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] applying (break) Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] mask: =0 Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [6] Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [7] attr telephoneNumber Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state (telephoneNumber) Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry "uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by "uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0) Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: * Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [1] mask: read(=rscxd) Sep 24 11:09:23 invernomuto slapd[19734]: => access_allowed: delete access denied by read(=rscxd) A parte il fatto che non capisco perchè 'delete' (ma credo che sia colpa del client, GQ, che probabilmente fa una 'delete' e poi una 'write' per modificare un campo), sembra non esserci match. la mia ACL è: access to dn.children="ou=People,dc=sv,dc=lnf,dc=it" attrs=entry,@inetLocalMailRecipient,physicalDeliveryOfficeName,telephoneNumber,mail,description by set="([uid=]+[cn=ced,ou=Group,dc=sv,dc=lnf,dc=it]/memberUid+[,ou=People,dc=sv,dc=lnf,dc=it]) & user" write by * break mentre se metto: access to dn.children="ou=People,dc=sv,dc=lnf,dc=it" attrs=entry,@inetLocalMailRecipient,physicalDeliveryOfficeName,telephoneNumber,mail by dn.exact="uid=gaio,ou=People,dc=sv,dc=lnf,dc=it" write by * break funziona perfettamente. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 _______________________________________________ OpenLDAP mailing list OpenLDAP@sys-net.it https://www.sys-net.it/mailman/listinfo/openldap