[Date Prev][Date Next] [Chronological] [Thread] [Top]

GQ write issue



I wonder if anyone has some advice for me with this one. slapd.conf is
setup as:

----------------------------------------------------
rootdn "cn=Jason Armstrong,dc=example,dc=com"
rootpw  secret
suffix          "dc=example,dc=com"
directory       "/var/lib/ldap/example.com"
defaultaccess read
lastmod on

index objectclass eq
index cn,mail pres,eq,sub

access to *
    by dn="cn=Jason Armstrong,dc=example,dc=com" write
    by * read
----------------------------------------------------

ldapmodify shows that I can write:

$ ldapmodify -x -W -D "cn=Jason Armstrong,dc=example,dc=com" -h ldap.example.com -f /tmp/modify

And the logfile shows:

slapd[3723]: <= acl_access_allowed: granted to database root


However, I am unable to use gq to modify any entries. GQ settings for
server are:

----------------------------------------------------
LDAP host : ldap.example.com
Base DN  : dc=example,dc=com
Bind DN  : cn=Jason Armstrong,dc=example,dc=com
Bind type  : Simple
Search Attribute : (objectclass=*)
----------------------------------------------------

But attempting to modify an entry gives the message: Insufficient
access, and the logfile shows:

=> access_allowed: write access to "cn=Test,dc=example,dc=com" "description" requested
=> acl_get: [1] check attr description
<= acl_get: [1] acl cn=Test,dc=example,dc=com attr: description
=> acl_mask: access to entry "cn=Test,dc=example,dc=com", attr "description" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: cn=Jason Armstrong,dc=example,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: write access denied by read (=rscx)


So, is it my GQ configuration that is wrong, or my LDAP setup? Or do I
somewhere need to specify that I have write access to all attributes?

Also, where do you see that an authentication attempt fails? I can see
above: acl_access_allowed: granted to database root, when it succeeds,
but nothing in the second example shows me why I have failed to get
write access.

Thanks for any help.

--
Jason Armstrong