[Fedora-directory-users] Does userattr="parent[1].attribute#LDAPURL" work ?

François Beretti francois.beretti at gmail.com
Fri Sep 22 17:53:42 UTC 2006 

Hi all,

in the directory server access control documentation, it is said that the
following aci syntax can be used :
(version 3.0; acl "test" allow (all) userattr =
"parent[1].attribute#LDAPURL";)

I need exactly this feature for the LDAP support of my software.

But in my tests, while userattr="url.#LDAPURL" does work, the use of the
"parent" keyword does not work.


I use the class enatelUserReferer which allow the url attribute type. The
object under which I want to create another one is :
cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests

it is named by the nsuniqueid of the object :
uid=francois,dc=evidian,dc=fr

I want to give add access to this user, even if the user is renamed. So I
want to use the nsuniqueid to find him. In the url attribute I store :
ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000)


Here are the ACI set on my o=tests root suffix :

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer read access";  allow (read,search,compare)
userdn="ldap:///all";)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";)

dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer personal acce ss"; allow (all)
userattr="url#LDAPURL";)

dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version
3.0; acl "enatelUserManagedAuth acces s"; allow (all)
userattr="parent[1].url#LDAPURL";)


Then I bind as uid=francois,dc=evidian,dc=fr and try to create an
enatelUserManagedAuth of DN :
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests


I got access denied error.


Here is the access control log of slapd :

[22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in
cache for dn:uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14
binddn="uid=francois,dc=evidian,dc=fr"
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:o=tests: container:26
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO
STARTS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Client DN:
uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     resource type:256(add
target_DN )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Slapi_Entry DN:
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ATTR: NULL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     rights:add
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO
ENDS   *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for
evaluation
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name:
"enatelUserManagedAuth access"]***
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692   ACL_ELEVEL:3
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read
write delete add self target_attr target_fil ter acltxt allow_rule )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL
INFO*****************************
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY
handles:0
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for
entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) "
"enatelUserManagedAuth access""
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval:
AttrName:parent[1].url, attrVal:LDAPURL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add
on entry(cn=auth,cn=5b74e802-1dd211b2-80e
4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692):
aciname= "enatelUserManagedAuth access", acidn="o=tests"



Where is the problem ?

Thank you very much

François
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060922/96cb8414/attachment.htm>

More information about the Fedora-directory-users mailing list