Does userattr="parent[1].attribute#LDAPURL" work ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

in the directory server access control documentation, it is said that the following aci syntax can be used :
(version 3.0; acl "test" allow (all) userattr = "parent[1].attribute#LDAPURL";)

I need exactly this feature for the LDAP support of my software.

But in my tests, while userattr="url.#LDAPURL" does work, the use of the "parent" keyword does not work.


I use the class enatelUserReferer which allow the url attribute type. The object under which I want to create another one is :
cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests

it is named by the nsuniqueid of the object :
uid=francois,dc=evidian,dc=fr

I want to give add access to this user, even if the user is renamed. So I want to use the nsuniqueid to find him. In the url attribute I store :
ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000)


Here are the ACI set on my o=tests root suffix :

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer read access";  allow (read,search,compare) userdn="ldap:///all";)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer personal acce ss"; allow (all) userattr="url#LDAPURL";)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version 3.0; acl "enatelUserManagedAuth acces s"; allow (all) userattr="parent[1].url#LDAPURL";)


Then I bind as uid=francois,dc=evidian,dc=fr and try to create an enatelUserManagedAuth of DN :
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests


I got access denied error.


Here is the access control log of slapd :

[22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14 binddn="uid=francois,dc=evidian,dc=fr"
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:o=tests: container:26
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO STARTS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Client DN: uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     resource type:256(add target_DN )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Slapi_Entry DN: cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ATTR: NULL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     rights:add
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO ENDS   *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "enatelUserManagedAuth access"]***
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692   ACL_ELEVEL:3
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read write delete add self target_attr target_fil ter acltxt allow_rule )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL INFO*****************************
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) " "enatelUserManagedAuth access""
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval: AttrName:parent[1].url, attrVal:LDAPURL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add on entry(cn=auth,cn=5b74e802-1dd211b2-80e 4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692): aciname= "enatelUserManagedAuth access", acidn="o=tests"



Where is the problem ?

Thank you very much

François
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux