Does userattr="parent[1].attribute#LDAPURL" work ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

in the directory server access control documentation, it is said that the
following aci syntax can be used :
(version 3.0; acl "test" allow (all) userattr =
"parent[1].attribute#LDAPURL";)

I need exactly this feature for the LDAP support of my software.

But in my tests, while userattr="url.#LDAPURL" does work, the use of the
"parent" keyword does not work.


I use the class enatelUserReferer which allow the url attribute type. The
object under which I want to create another one is :
cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests

it is named by the nsuniqueid of the object :
uid=francois,dc=evidian,dc=fr

I want to give add access to this user, even if the user is renamed. So I
want to use the nsuniqueid to find him. In the url attribute I store :
ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000)


Here are the ACI set on my o=tests root suffix :

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer read access";  allow (read,search,compare)
userdn="ldap:///all";;)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";;)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer personal acce ss"; allow (all)
userattr="url#LDAPURL";)

dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version
3.0; acl "enatelUserManagedAuth acces s"; allow (all)
userattr="parent[1].url#LDAPURL";)


Then I bind as uid=francois,dc=evidian,dc=fr and try to create an
enatelUserManagedAuth of DN :
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests


I got access denied error.


Here is the access control log of slapd :

[22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in
cache for dn:uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14
binddn="uid=francois,dc=evidian,dc=fr"
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:o=tests: container:26
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO
STARTS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Client DN:
uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     resource type:256(add
target_DN )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Slapi_Entry DN:
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ATTR: NULL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     rights:add
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO
ENDS   *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for
evaluation
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name:
"enatelUserManagedAuth access"]***
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692   ACL_ELEVEL:3
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read
write delete add self target_attr target_fil ter acltxt allow_rule )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL
INFO*****************************
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY
handles:0
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for
entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) "
"enatelUserManagedAuth access""
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval:
AttrName:parent[1].url, attrVal:LDAPURL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add
on entry(cn=auth,cn=5b74e802-1dd211b2-80e
4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692):
aciname= "enatelUserManagedAuth access", acidn="o=tests"



Where is the problem ?

Thank you very much

Fran?ois
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060922/96cb8414/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux