[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Still Group access problems...



Koen Bosmans wrote:

> Hi,
>
> Since my last posting of the group access problems I had it seemed to work
> OK, but I only tested it with read access. Now I tested it with ACL write
> access and now I got a strange problem!!!
> This is my only ACL for testing:
>
> access to dn=".*,o=elex,c=be"
>         by group="cn=administrators,o=elex,c=be"                write
>         by *                                                    none
>
> ldapsearch works for the administrators, ldapmodify also works but
> ldapdelete and ldapadd don't work. And ldapmodify with -a option don't work
> either
>
> This is the group:
>
> dn: cn=administrators,o=elex,c=be
> objectclass: top
> objectclass: groupOfNames
> cn: administrators
> description: Administrators of the domain
> member: cn=Koen Bosmans,o=elex,c=be
> member: cn=Peter Tillemans,o=elex,c=be
> member: cn=Marc Collignon,o=elex,c=be
>
> This is the access debug code I get when Adding or deleting:
>
> => access_allowed: entry (o=elex,c=BE) attr (children)

> => acl_get: entry (o=elex,c=BE) attr (children)

> <= acl_get: no match

To add an entry you have to authorize access to the parent entry of the future
new entry.
So, here, you should have a new ACL line like this :

access to dn="o=elex,c=be" attr=children
        by group="cn=administrators,o=elex,c=be"  write
        by * none

This ACL grants access for adding new entry (and so deleting, I think) under
"o=elex,c=be".

Try it.

Manu.


>
>
> => acl_access_allowed: write access to entry "o=elex,c=BE"
>
> => acl_access_allowed: write access to value "any" by "CN=KOEN
> BOSMANS,O=ELEX,C=BE"
> <= acl_access_allowed: denied by default (no matching to)
>
> => access_allowed: exit (o=elex,c=BE) attr (children)
>
> Looks like he can't find a matching ACL for add, but why can he find an ACL
> for search or modify????
>
> Koen Bosmans