[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL confusion
Nicholas Riley wrote:
>
> At 11:43 AM -0700 6/24/99, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>
> Thanks very much for the help.
>
> >That's not a valid DN (per RFC1779) and will likely cause problems.
> >Namely, the "," in o='Invantage, Inc.' must be quoted using an
> >approved mechanism. "'" character is NOT a quote character.
>
> I tried quoting by following the example at the end of chapter 5 of
> the SLAPD and SLURPD Administrators Guide: "o=\"Invantage,
> Inc.\",c=US".
I strongly recommend use of ldapadd to import entries into directories.
ldif2ldbm is meant for database recovery and assumes error free input.
ldapadd is slow but safe.
> This did not work - it yielded error messages
> everywhere. Using single quotes looked distinctly bad to me, but it
> had worked everywhere so far. I see from RFC 1779 that "o=Invantage\,
> Inc.,c=US" should be permitted. I'll try that later.
Quoting in DNs (including the "\" character) should be avoid. They'll
cause you nothing but headaches.
> I rebuilt the database with o=Invantage, to make sure that the comma
> in the DN does not contribute to the problem, and tried again. The
> same problem still occurs, as best I can tell. Here is the LDIF file
> I imported to begin with:
>
> >dn: o=Invantage,c=US
> >objectclass: organization
You're missing a required attribute (o) of organization. Shouldn't
affect ACLs. I'll assume your suffix is "o=Invantage,c=US".
> >dn: ou=Staff,o=Invantage,c=US
> >objectclass: organizationalUnit
You're missing a required attribute (ou) of organizationalUnit. Shouldn't
affect ACLs.
> >dn: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
> >cn: Nicholas Riley
> >sn: Riley
> >uid: nicholas
> >ou: Staff
> >mail: nicholas@invantage.com
> >objectclass: person
> >userpassword: {crypt}<stuff>
> >
> >dn: uid=root,ou=Staff,o=Invantage,c=US
> >uid: root
> >ou: Staff
> >description: System Administrator account
> >seeAlso: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
> >objectclass: account
> >
> >dn: Netscape Server Admin,o=Invantage,c=US
Bogus DN, probably should be: cn=Netscape Server Admin,o=Invantage,c=US ?
> and portions of slapd.conf again:
> >rootdn "uid=root,ou=Staff,o=Invantage,c=US"
> >defaultaccess read
> >access to attr=userpassword
> > by self write
> > by dn="uid=root,ou=Staff,o=Invantage,c=US" write
> > by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
> > by * compare
> >access to *
> > by dn="uid=root,ou=Staff,o=Invantage,c=US" write
> > by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
> > by * read
These ACLs won't match your bogus DN above... as your results indicate.