Hi all,
in the directory server access control documentation, it is said that the
following aci syntax can be used :
(version 3.0; acl "test" allow (all) userattr =
"parent[1].attribute#LDAPURL";)
I need exactly this feature for the LDAP support of my software.
But in my tests, while userattr="url.#LDAPURL" does work, the use of the
"parent" keyword does not work.
I use the class enatelUserReferer which allow the url attribute type. The
object under which I want to create another one is :
cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
it is named by the nsuniqueid of the object :
uid=francois,dc=evidian,dc=fr
I want to give add access to this user, even if the user is renamed. So I
want to use the nsuniqueid to find him. In the url attribute I store :
ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000)
Here are the ACI set on my o=tests root suffix :
dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer read access"; allow (read,search,compare)
userdn="ldap:///all";)
dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";)
dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer personal acce ss"; allow (all)
userattr="url#LDAPURL";)
dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version
3.0; acl "enatelUserManagedAuth acces s"; allow (all)
userattr="parent[1].url#LDAPURL";)
Then I bind as uid=francois,dc=evidian,dc=fr and try to create an
enatelUserManagedAuth of DN :
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
I got access denied error.
Here is the access control log of slapd :
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in
cache for dn:uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14
binddn="uid=francois,dc=evidian,dc=fr"
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:o=tests: container:26
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO
STARTS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Client DN:
uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - resource type:256(add
target_DN )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ATTR: NULL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - rights:add
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO
ENDS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for
evaluation
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name:
"enatelUserManagedAuth access"]***
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692 ACL_ELEVEL:3
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read
write delete add self target_attr target_fil ter acltxt allow_rule )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL
INFO*****************************
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY
handles:0
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for
entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) "
"enatelUserManagedAuth access""
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval:
AttrName:parent[1].url, attrVal:LDAPURL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add
on entry(cn=auth,cn=5b74e802-1dd211b2-80e
4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692):
aciname= "enatelUserManagedAuth access", acidn="o=tests"
Where is the problem ?
Thank you very much
François