Re: [OpenLDAP] Query e ACL...

Mon, 24 Sep 2007 03:57:02 -0700 

Mandi! Marco D'Ettorre
  In chel di` si favelave...

> >Sbagli, perchè per gli accessi come rootdn le acl non vengono affatto 
> >prese in considerazione.
> *NON* sbagli, ovviamente... :)

Ah, ecco, iniziavo ad avere inconsistenze interne... ad ogni modo non
va, attacco il log:

 Sep 24 11:09:23 invernomuto slapd[19734]: => access_allowed: delete access to 
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it" "telephoneNumber" requested 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [1] attr telephoneNumber 
 Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state 
(telephoneNumber) 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry 
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by 
"uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0)  
 Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: 
cn=replica,dc=sv,dc=lnf,dc=it 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: * 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] applying  (break) 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] mask: =0 
 Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [2] 
ou=aliases,dc=sv,dc=lnf,dc=it 
 Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [3] 
ou=people,dc=sv,dc=lnf,dc=it 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [3] matched 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [3] attr telephoneNumber 
 Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state 
(telephoneNumber) 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry 
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by 
"uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0)  
 Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_set_pat: 
([uid=]+[cn=ced,ou=Group,dc=sv,dc=lnf,dc=it]/memberUid+[,ou=People,dc=sv,dc=lnf,dc=it])
 & user 
 Sep 24 11:09:23 invernomuto slapd[19734]: => bdb_entry_get: found entry: 
"cn=ced,ou=group,dc=sv,dc=lnf,dc=it" 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: * 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] applying  (break) 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [2] mask: =0 
 Sep 24 11:09:23 invernomuto slapd[19734]: => dn: [6]  
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_get: [7] attr telephoneNumber 
 Sep 24 11:09:23 invernomuto slapd[19734]: access_allowed: no res from state 
(telephoneNumber) 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: access to entry 
"uid=gaio,ou=People,dc=sv,dc=lnf,dc=it", attr "telephoneNumber" requested 
 Sep 24 11:09:23 invernomuto slapd[19734]: => acl_mask: to all values by 
"uid=gaio,ou=people,dc=sv,dc=lnf,dc=it", (=0)  
 Sep 24 11:09:23 invernomuto slapd[19734]: <= check a_dn_pat: * 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [1] applying 
read(=rscxd) (stop) 
 Sep 24 11:09:23 invernomuto slapd[19734]: <= acl_mask: [1] mask: read(=rscxd) 
 Sep 24 11:09:23 invernomuto slapd[19734]: => access_allowed: delete access 
denied by read(=rscxd) 

A parte il fatto che non capisco perchè 'delete' (ma credo che sia
colpa del client, GQ, che probabilmente fa una 'delete' e poi una
'write' per modificare un campo), sembra non esserci match.

la mia ACL è:

 access to dn.children="ou=People,dc=sv,dc=lnf,dc=it" 
attrs=entry,@inetLocalMailRecipient,physicalDeliveryOfficeName,telephoneNumber,mail,description
        by 
set="([uid=]+[cn=ced,ou=Group,dc=sv,dc=lnf,dc=it]/memberUid+[,ou=People,dc=sv,dc=lnf,dc=it])
 & user" write
        by * break

mentre se metto:

 access to dn.children="ou=People,dc=sv,dc=lnf,dc=it" 
attrs=entry,@inetLocalMailRecipient,physicalDeliveryOfficeName,telephoneNumber,mail
        by dn.exact="uid=gaio,ou=People,dc=sv,dc=lnf,dc=it" write
        by * break

funziona perfettamente.

-- 
dott. Marco Gaiarin                                 GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it      tel +39-0434-842711  fax +39-0434-842797

_______________________________________________
OpenLDAP mailing list
OpenLDAP@sys-net.it
https://www.sys-net.it/mailman/listinfo/openldap

Rispondere a