[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL (dnattr) usage
> I'm trying to rewrite some ACL's to be more generic, so I've created an
> attribute called 'administrator' (I _could_ have used 'owner', but I've
> forgot about that).
>
> My Base DN is 'dc=com'. Under that I have 'dc=bayour' (=>
> dc=bayour,dc=com).
>
> In the 'dc=bayour' object I have
>
> dn: dc=bayour,dc=com
> administrator: uid=frans,ou=People,dc=bayour,dc=com
>
> Trying to add a user object (with the DN
> uid=test,ou=People,dc=bayour,dc=com) doing a simple bind as
> 'uid=frans,ou=People,dc=bayour,dc=com' fails (see below)!
>
> The ACL looks like:
> access to dn="ou=People,dc=bayour,dc=com"
> by dnattr=administrator write
> by * read
>
> The attribute looks like:
> attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator'
> DESC 'Administrator for branch'
> SUP owner)
>
> Running slapd in debug mode shows this:
>
> ------ s n i p -----
> => access_allowed: write access to "ou=People,dc=bayour,dc=com"
> "children" requested => dnpat: [1] ou=People,dc=bayour,dc=com nsub: 0
> => acl_get: [1] matched
> => acl_get: [1] check attr children
> <= acl_get: [1] acl ou=People,dc=bayour,dc=com attr: children
> => acl_mask: access to entry "ou=People,dc=bayour,dc=com", attr
> "children" requested => acl_mask: to all values by
> "UID=FRANS,OU=PEOPLE,DC=BAYOUR,DC=COM", (=n) <= check a_dn_at:
> administrator
> <= check a_dn_pat: *
> <= acl_mask: [2] applying read (=rscx) (stop)
> <= acl_mask: [2] mask: read (=rscx)
> => access_allowed: write access denied by read (=rscx)
> ====> cache_return_entry_w( 248 ): returned (0)
> no write access to parent
> ------ s n i p -----
>
> What does '"children" requested' actually mean?
to add an entry you need write access to the meta-attr "children"
of the parent entry.
you have
access to dn="ou=People,dc=bayour,dc=com"
by dnattr=administrator write
by * read
so this should imply access to the "children" meta-attr
as well. Try making it esplicit, e.g.
access to dn.exact="ou=People,dc=bayour,dc=com" attrs=children
by dnattr=administrator write
by * read
access to dn.subtree="ou=People,dc=bayour,dc=com"
by dnattr=administrator write
by * read
Otherwise I need to dig into the code.
P.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it