[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Still Group access problems...
Koen Bosmans wrote:
> Hi,
>
> Since my last posting of the group access problems I had it seemed to work
> OK, but I only tested it with read access. Now I tested it with ACL write
> access and now I got a strange problem!!!
> This is my only ACL for testing:
>
> access to dn=".*,o=elex,c=be"
> by group="cn=administrators,o=elex,c=be" write
> by * none
>
> ldapsearch works for the administrators, ldapmodify also works but
> ldapdelete and ldapadd don't work. And ldapmodify with -a option don't work
> either
>
> This is the group:
>
> dn: cn=administrators,o=elex,c=be
> objectclass: top
> objectclass: groupOfNames
> cn: administrators
> description: Administrators of the domain
> member: cn=Koen Bosmans,o=elex,c=be
> member: cn=Peter Tillemans,o=elex,c=be
> member: cn=Marc Collignon,o=elex,c=be
>
> This is the access debug code I get when Adding or deleting:
>
> => access_allowed: entry (o=elex,c=BE) attr (children)
> => acl_get: entry (o=elex,c=BE) attr (children)
> <= acl_get: no match
To add an entry you have to authorize access to the parent entry of the future
new entry.
So, here, you should have a new ACL line like this :
access to dn="o=elex,c=be" attr=children
by group="cn=administrators,o=elex,c=be" write
by * none
This ACL grants access for adding new entry (and so deleting, I think) under
"o=elex,c=be".
Try it.
Manu.
>
>
> => acl_access_allowed: write access to entry "o=elex,c=BE"
>
> => acl_access_allowed: write access to value "any" by "CN=KOEN
> BOSMANS,O=ELEX,C=BE"
> <= acl_access_allowed: denied by default (no matching to)
>
> => access_allowed: exit (o=elex,c=BE) attr (children)
>
> Looks like he can't find a matching ACL for add, but why can he find an ACL
> for search or modify????
>
> Koen Bosmans