[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL problem for Netscape Roaming
Can anyone help me here, I've been working on this three days? I hate to pull
over and ask for directions.
I am trying to get OpenLDAP on Red Hat Linux 7.2 to work with Netscape roaming.
It seems that my ACL for allowing write access to the Netscape profile is
never chosen.
Here are my configs and debug output. Does the capitalized dn from the LDAP
server cause the regex match to fail?
Thanks,
Ben Baez
slapd.conf
#
loglevel 128
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
include /etc/openldap/schema/mull.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile /var/run/slapd.pid
#argsfile /var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next two lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
#TLSCertificateFile /usr/share/ssl/certs/slapd.pem
#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=cdx,dc=org"
#suffix "o=My Organization Name, c=US"
rootdn "cn=Manager,dc=cdx,dc=org"
#rootdn "cn=Manager, o=My Organization Name, c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# rootpw {SSHA}ESC0nZlkkSVlEpCPaq/m94ogDEcQSIpY
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap/cdx
lastmod on # Sets modification field
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# SASL
#sasl-host usoakldap01.cdx.org
#sasl-realm cdx.org
# Include the access lists
include /etc/openldap/slapd.access
[root@usoakldap01 openldap]# more slapd.access
# Access Control
access to * by * read
access to dn=".*,ou=Roaming,dc=cdx,dc=org"
by dnattr=owner write
access to attr=userPassword
by self write
by * none
[root@usoakldap01 openldap]# /usr/sbin/slapd -u ldap -d 128
daemon: socket() failed errno=97 (Address family not supported by protocol)
Backend ACL: access to *
by * read (=rscx)
Backend ACL: access to dn.regex=.*,ou=Roaming,dc=cdx,dc=org
by dnattr=owner write (=wrscx)
Backend ACL: access to attrs=userPassword
by self write (=wrscx)
by * none (=n)
slapd starting
...
=> access_allowed: read access to
"nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=o
rg" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org attr:
object
Class
=> acl_mask: access to entry "nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org",
attr "objectClass" requested
=> acl_mask: to value by "UID=BAEZBO,OU=PEOPLE,DC=CDX,DC=ORG", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to
"nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=o
rg" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org attr:
object
Class
=> acl_mask: access to entry "nsLIProfileName=baezbo,ou=Roaming,dc=cdx,dc=org",
attr "objectClass" requested
=> acl_mask: to value by "UID=BAEZBO,OU=PEOPLE,DC=CDX,DC=ORG", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/