[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Specifying write access for more then one user?
Hello,
I'm fighting the 'access' directive in slapd.conf currently.
With the docs in my hands I seem to be unable to specify
rules to not only allow only one person write access but a
whole set of.
The setup right now is
cn=admin1,ou=administrators,o=company,c=TLD
cn=admin2,ou=administrators,o=company,c=TLD
[...]
When I use the default permission set:
access to attribute=userPassword
by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
by * read
I can for examlpe add new administrators with user 'admin1'
without problems.
My first attempt to add permission to let admin2 do the same
thing as admin1 was just to add the line
by dn="cn=admin2,ou=administrators,o=company,c=TLD" write
right after the admin1 line.
I didn't took long I figured out it was too inefficient and I
search for a way to match all cn's in the administrator ou.
I thought by replacing the admin(1|2) lines with
by dn="cn=*,ou=administrators,o=company,c=TLD" write
all would be done. I can login successfully, but when I
attempt to create another administrator, I always get:
Root error: [LDAP: error code 50 - no write access to parent]
(from the client). In fact I get this error for every new
entry I try to add.
The slapd access log shows me:
access_allowed: write access to "ou=Administrators, o=company,c=TLD" "children" requested
acl_get: [1] check attr children
acl_get: [2] check attr children
acl_get: [2] acl ou=Administrators, o=company,c=TLD attr: children
acl_mask: access to entry "ou=Administrators, o=company,c=TLD", attr "children" requested
acl_mask: to all values by "CN=ADMIN,OU=ADMINISTRATORS,O=COMPANY,C=TLD", (=n)
check a_dn_pat: cn=*,ou=administrators,o=company,c=TLD
check a_dn_pat: *
acl_mask: [2] applying read (=rscx) (stop)
acl_mask: [2] mask: read (=rscx)
access_allowed: write access denied by read (=rscx)
I can clearly see what's going wrong (the read mask
successfully applies first so the access process stops) but I
don't know how to solve it (i.e. what the right dn entry
should be).
Thanks in advance for any hint!
kind regards,
- Markus
--
Please always Cc to me when replying to me on the lists.
GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc