The error message shows up in both 1.2.10.12 and 1.2.11.17. I think it's a bug, although maybe harmless. I am trying to grant all users under "ou=special,ou=test,dc=example,dc=com" read access to "ou=people,ou=Test,dc=example,dc=com" subtree. So I first created a dynamic group including all users under "ou=special,ou=test,dc=example,dc=com": "cn=all special users,ou=special,ou=Test,dc=example,dc=com" memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*)) Then I added an ACI to "ou=people,ou=Test,dc=example,dc=com" grant the dynamic group to read all attributes aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");) The ACI does what it supposed to do, now all users under "ou=special,ou=test,dc=example,dc=com" are able to read all attributes of subtree: "ou=people,ou=Test,dc=example,dc=com". > 1 > ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" > > [31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com] > Since "uid=ttest,ou=people,ou=Test,dc=example,dc=com" is NOT a member of the dynamic group, the ACI does not apply. But the NSACLPlugin log this error message which I think is not neccessary. > 2. > ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" > > [31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com] > > repeat search 1 & 2, acllas__client_match_URL error message doen't repeat. > > 3. > ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" > > no message in errors log Since "uid=aclp,ou=special,ou=Test,dc=example,dc=com" IS a member of the dynamic group, The ACL apply and the search return all the attributes. ________________________________ > Date: Fri, 1 Feb 2013 12:20:58 -0700 > From: rmeggins@xxxxxxxxxx > To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx > CC: picturebook16@xxxxxxxxxxx > Subject: Re: errors log - NSACLPlugin - acllas__client_match_URL: > > On 01/31/2013 09:17 AM, Picture Book wrote: > > After using dynamic group in ACL, I see the following messages in errors log > > 1 > ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" > > [31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com] > > 2. > ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" > > [31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com] > > repeat search 1 & 2, acllas__client_match_URL error message doen't repeat. > > 3. > ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com" > > no message in errors log > > What platform? What 389-ds-base version? > Not sure exactly what you're trying to do. > > > > > This is the dynamic group: > > dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com > objectClass: groupofurls > objectClass: groupofuniquenames > objectClass: top > cn: all special users > memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass= > inetorgperson)(cn=*)) > > This is the ACL > dn: ou=people,ou=Test,dc=example,dc=com > objectClass: organizationalunit > objectClass: top > ou: people > aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn > = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");) > createTimestamp: 20130131152507Z > > The following is the ldif export of the test setup > > version: 1 > dn: ou=Test,dc=example,dc=com > objectClass: organizationalunit > objectClass: top > ou: Test > createTimestamp: 20130123175104Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: ou=test,dc=example,dc=com > entryid: 10 > hasSubordinates: TRUE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130123175104Z > nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566 > numSubordinates: 5 > parentid: 1 > subschemaSubentry: cn=schema > dn: cn=mygroup,ou=Test,dc=example,dc=com > objectClass: groupofuniquenames > objectClass: top > cn: mygroup > uniqueMember: uid=test11,ou=test,dc=example,dc=com > createTimestamp: 20130123175116Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: cn=mygroup,ou=test,dc=example,dc=com > entryid: 11 > hasSubordinates: FALSE > modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config > modifyTimestamp: 20130123182725Z > nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566 > numSubordinates: 0 > parentid: 10 > subschemaSubentry: cn=schema > dn: uid=test11,ou=Test,dc=example,dc=com > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > cn: test 1 > sn: 1 > givenName: test > uid: test11 > userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P > Q== > createTimestamp: 20130123175131Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: uid=test11,ou=test,dc=example,dc=com > entryid: 12 > hasSubordinates: FALSE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131155727Z > nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566 > numSubordinates: 0 > parentid: 10 > passwordGraceUserTime: 0 > subschemaSubentry: cn=schema > dn: ou=people,ou=Test,dc=example,dc=com > objectClass: organizationalunit > objectClass: top > ou: people > aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn > = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");) > createTimestamp: 20130131152507Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: ou=people,ou=test,dc=example,dc=com > entryid: 13 > hasSubordinates: TRUE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131155032Z > nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566 > numSubordinates: 1 > parentid: 10 > subschemaSubentry: cn=schema > dn: ou=groups,ou=Test,dc=example,dc=com > objectClass: organizationalunit > objectClass: top > ou: groups > createTimestamp: 20130131152521Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: ou=groups,ou=test,dc=example,dc=com > entryid: 14 > hasSubordinates: FALSE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131152521Z > nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566 > numSubordinates: 0 > parentid: 10 > subschemaSubentry: cn=schema > dn: ou=special,ou=Test,dc=example,dc=com > objectClass: organizationalunit > objectClass: top > ou: special > createTimestamp: 20130131152543Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: ou=special,ou=test,dc=example,dc=com > entryid: 15 > hasSubordinates: TRUE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131152543Z > nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566 > numSubordinates: 2 > parentid: 10 > subschemaSubentry: cn=schema > dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > cn: acl problem > sn: problem > givenName: acl > uid: aclp > userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P > Q== > createTimestamp: 20130131152618Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com > entryid: 16 > hasSubordinates: FALSE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131152854Z > nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566 > numSubordinates: 0 > parentid: 15 > passwordGraceUserTime: 0 > subschemaSubentry: cn=schema > dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com > objectClass: groupofurls > objectClass: groupofuniquenames > objectClass: top > cn: all special users > memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass= > inetorgperson)(cn=*)) > createTimestamp: 20130131152806Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com > entryid: 17 > hasSubordinates: FALSE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131155311Z > nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566 > numSubordinates: 0 > parentid: 15 > subschemaSubentry: cn=schema > dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > cn: test test > sn: test > givenName: test > uid: ttest > userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P > Q== > createTimestamp: 20130131152911Z > creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo > ot > entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com > entryid: 18 > hasSubordinates: FALSE > modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR > oot > modifyTimestamp: 20130131154252Z > nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566 > numSubordinates: 0 > parentid: 13 > passwordGraceUserTime: 0 > subschemaSubentry: cn=schema > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx<mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx> > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
