[Date Prev][Date Next] [Chronological] [Thread] [Top]
ACL problem for Netscape Roaming

To: openldap-software@OpenLDAP.org
Subject: ACL problem for Netscape Roaming
From: Benjamin Baez <bbaez@biospectra.com>
Date: Mon, 19 Nov 2001 14:49:31 -0800
User-agent: Internet Messaging Program (IMP) 2.3.7-cvs
Can anyone help me here, I've been working on this three days?   I hate to pull 
over and ask for directions.

I am trying to get OpenLDAP on Red Hat Linux 7.2 to work with Netscape roaming. 
 It seems that my ACL for allowing write access to the Netscape profile is 
never chosen. 

Here are my configs and debug output.  Does the capitalized dn from the LDAP 
server cause the regex match to fail?

Thanks,

Ben Baez

slapd.conf

#

loglevel 128

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema
include         /etc/openldap/schema/mull.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

#pidfile        /var/run/slapd.pid
#argsfile       /var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile     /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# The next two lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
#TLSCertificateFile /usr/share/ssl/certs/slapd.pem
#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "dc=cdx,dc=org"
#suffix         "o=My Organization Name, c=US"
rootdn          "cn=Manager,dc=cdx,dc=org"
#rootdn         "cn=Manager, o=My Organization Name, c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# rootpw          {SSHA}ESC0nZlkkSVlEpCPaq/m94ogDEcQSIpY
# rootpw                {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND 
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap/cdx
lastmod         on      # Sets modification field
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
# Replicas to which we should propagate changes
#replica ldap-1.example.com:389 tls=yes
#       bindmethod=sasl saslmech=GSSAPI
#       authcId=host/ldap-master.example.com@EXAMPLE.COM
# SASL
#sasl-host      usoakldap01.cdx.org
#sasl-realm     cdx.org
# Include the access lists
include                 /etc/openldap/slapd.access


[root@usoakldap01 openldap]# more slapd.access 
# Access Control
access to * by * read
access to dn=".*,ou=Roaming,dc=cdx,dc=org"
        by dnattr=owner write
access to attr=userPassword
         by self write
         by * none


[root@usoakldap01 openldap]# /usr/sbin/slapd -u ldap -d 128
daemon: socket() failed errno=97 (Address family not supported by protocol)
Backend ACL: access to *
        by * read (=rscx)

Backend ACL: access to dn.regex=.*,ou=Roaming,dc=cdx,dc=org
        by dnattr=owner write (=wrscx)

Backend ACL: access to attrs=userPassword
        by self write (=wrscx)
        by * none (=n)

slapd starting

...

=> access_allowed: read access to 
"nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=o
rg" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org attr: 
object
Class
=> acl_mask: access to entry "nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org", 
attr "objectClass" requested
=> acl_mask: to value by "UID=BAEZBO,OU=PEOPLE,DC=CDX,DC=ORG", (=n) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to 
"nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=o
rg" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org attr: 
object
Class
=> acl_mask: access to entry "nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org", 
attr "objectClass" requested
=> acl_mask: to value by "UID=BAEZBO,OU=PEOPLE,DC=CDX,DC=ORG", (=n) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Follow-Ups:
- Re: ACL problem for Netscape Roaming
  - From: Adam Tauno Williams <adam@morrison-ind.com>
Prev by Date: [no subject]
Next by Date: multi-valued attribute indexes [x]
Index(es):
- Chronological
- Thread