[Date Prev][Date Next] [Chronological] [Thread] [Top]

probably simple acl problem



Hi,

I added some entries to the ldaptree and want to use one of them as a "super-user".
I mean I want to add more entries authenticating as this user.


The entry is:

dn: uid=mylogin,ou=People,dc=mydomain,dc=com
uid: mylogin
cn: My Name
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}asdlvkjabsevuib
shadowLastChange: 11927
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/mylogin

And the acls are:
access to dn="(.*,)*,dc=mydomain,dc=com"
        by dn="uid=mylogin,ou=People,dc=ce3,dc=pl" write

access to attr=userPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by users read
        by anonymous none

access to * by * none


The log file shows:

Nov 25 12:09:02 gate slapd[5138]: => access_allowed: auth access to "uid=mylogin,ou=People,dc=mydomain,dc=com" "userPassword" requested
Nov 25 12:09:02 gate slapd[5138]: => dnpat: [1] (.*,)*,dc=ce3,dc=pl nsub: 1
Nov 25 12:09:02 gate slapd[5138]: => acl_get: [1] matched
Nov 25 12:09:02 gate slapd[5138]: => acl_get: [1] check attr userPassword
Nov 25 12:09:02 gate slapd[5138]: <= acl_get: [1] acl uid=mylogin,ou=People,dc=mydomain,dc=com attr: userPassword
Nov 25 12:09:02 gate slapd[5138]: => match[0]: 22 35
Nov 25 12:09:02 gate slapd[5138]: ,
Nov 25 12:09:02 gate slapd[5138]: D
Nov 25 12:09:02 gate slapd[5138]: C
Nov 25 12:09:02 gate slapd[5138]: =
Nov 25 12:09:02 gate slapd[5138]: C
Nov 25 12:09:02 gate slapd[5138]: E
Nov 25 12:09:02 gate slapd[5138]: 3
Nov 25 12:09:02 gate slapd[5138]: ,
Nov 25 12:09:02 gate slapd[5138]: D
Nov 25 12:09:02 gate slapd[5138]: C
Nov 25 12:09:02 gate slapd[5138]: =
Nov 25 12:09:02 gate slapd[5138]: P
Nov 25 12:09:02 gate slapd[5138]: L
Nov 25 12:09:02 gate slapd[5138]: => acl_mask: access to entry "uid=mylogin,ou=People,dc=mydomain,dc=com", attr "userPassword" requested
Nov 25 12:09:02 gate slapd[5138]: => acl_mask: to all values by "", (=n)
Nov 25 12:09:02 gate slapd[5138]: <= check a_dn_pat: uid=mylogin,ou=People,dc=mydomain,dc=com
Nov 25 12:09:02 gate slapd[5138]: <= acl_mask: no more <who> clauses, returning =n (stop)
Nov 25 12:09:02 gate slapd[5138]: => access_allowed: auth access denied by =n



What is wrong ?
Maybe the ACL is wrong, but for me it seems OK.
User authenticated as uid=mylogin should be able to write everywhere below dc=mydomain,dc=com.



Kuba