Re: Does dnattr work?

[Les Barstow <lbarstow@vr1.com>]

I have the following in my OpenLDAP setup (under both 1.2.9 and 2.0.x):

access to dn=".*"
 by group="cn=LDAP Administrators,ou=Groups,dc=vr1,dc=com" write
 by dnattr=owner write
 by * read

with a sample owner as:
owner: uid=theowner,ou=People,dc=vr1,dc=com

This has been working fine for me, although I vaguely remember a lot of
bitching and moaning on my part until it worked...

Make sure you can authenticate the owner off of the LDAP server
(ldapmodify [-x -D 'ownersdn' -W] - you should get a blank input line
 after you enter the password)

If not you need to modify access to attr=userPassword 
(at least 'by * auth')

Adam Jacob wrote:
> 
> I posted a question about some OpenLDAP ACL's here a few days back;
> specifically, the use of the dnattr option.  I've been totally unsuccessfull
> in getting the "dnattr" feature to work right.
> 
> In a rule like this:
> 
> access to dn="cn=.*,ou=lists,ou=people,dc=go2net,dc=com"
>         by group="cn=administrators,ou=security,dc=go2net,dc=com" write
>         by group="cn=mailadmin,ou=security,dc=go2net,dc=com" write
>         by dnattr=owner write
>         by anonymous read
>         by * read
> 
> With the "owner" field set to:
> 
> owner: uid=adam,ou=people,dc=go2net,dc=com
> 
> If I bind to the directory as that user, I get permission denied for 
> writing.
> I've gotten several personal messages since I posted the question, basically
> saying "Yeah, I have the same problem, no idea"... so, is there anyone out
> there successfully using the dnattr function?  Is there some magic bit that
> needs to be flipped to make it work?  An attribute that's missing?

-- 
Les Barstow           | e-mail: lbarstow@vr1.com
System Administrator  |
VR1, Inc.             | 
http://www.vr1.com    | Disclaimer: All your server are belong to us!