[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with access to OpenLDAP
access to dn.subtree="ou=Contacts,dc=e-qual,dc=fr"
by dn="cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr" write
should give you what you want
:-)
----- Original Message -----
From: <philippe.broussard@e-qual.fr>
To: <openldap-software@OpenLDAP.org>
Sent: Friday, May 30, 2003 4:48 PM
Subject: Problem with access to OpenLDAP
>
> Hi,
>
>
>
> I want logging me with an user : AdminContacts and not the superuser I
> have defined an ACI about him :
>
> access to
> dn="ou=Contacts,dc=e-qual,dc=fr"
> by
> dn="cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr"
> write
>
> and here is the ldif of AdminContacts :
>
> # LDIF Export for: cn=AdminContacts
> Scope: base, 1 objects
> # Generated by DaveDAP on May 30, 2003 12:00 pm
>
> dn: cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
> objectclass: person
> objectclass: top
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> userpassword: poiuyt
> sn: AdminContacts
> cn: AdminContacts
> uid: AdminContacts
>
>
> Have you an idea about the solution ?
> My ACI is false ? (I want that AdminContacts can write, delete... any
> entry in the branch : ou=Contacts,dc=e-qual,dc=fr)
>
>
> Philippe
>
>
>
> conn=0 fd=12 ACCEPT from IP=192.168.1.53:1293 (IP=0.0.0.0:389)
> connection_get(12)
> ber_dump: buf=0x08128930 ptr=0x08128930 end=0x0812896e len=62
> 0000: 02 01 01 60 39 02 01 02 04 2c 63 6e 3d 41 64 6d
> ...`9....,cn=Adm
> 0010: 69 6e 43 6f 6e 74 61 63 74 73 2c 6f 75 3d 43 6f
> inContacts,ou=Co
> 0020: 6e 74 61 63 74 73 2c 64 63 3d 65 2d 71 75 61 6c
> ntacts,dc=e-qual
> 0030: 2c 64 63 3d 66 72 80 06 70 6f 69 75 79 74
> ,dc=fr..poiuyt
> ber_dump: buf=0x08128930 ptr=0x08128933 end=0x0812896e len=59
> 0000: 60 39 02 01 02 04 2c 63 6e 3d 41 64 6d 69 6e 43
> `9....,cn=AdminC
> 0010: 6f 6e 74 61 63 74 73 2c 6f 75 3d 43 6f 6e 74 61
> ontacts,ou=Conta
> 0020: 63 74 73 2c 64 63 3d 65 2d 71 75 61 6c 2c 64 63
> cts,dc=e-qual,dc
> 0030: 3d 66 72 80 06 70 6f 69 75 79 74 =fr..poiuyt
> ber_dump: buf=0x08128930 ptr=0x08128966 end=0x0812896e len=8
> 0000: 00 06 70 6f 69 75 79 74 ..poiuyt
> conn=0 op=0 BIND dn="cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr"
> method=128 ==> bdb_bind: dn:
> cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
> => access_allowed: auth access to
> "cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr" "userPassword" requested
> => dnpat: [1] ou=Contacts,dc=e-qual,dc=fr nsub: 0 => acl_get: [1]
> matched => acl_get: [1] check attr userPassword <= acl_get: [1] acl
> cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr attr: userPassword =>
> match[0]: 17 44 ou=contacts,dc=e-qual,dc=fr => acl_mask: access to entry
> "cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr", attr "userPassword"
> requested => acl_mask: to all values by "", (=n) <= check a_dn_pat:
> cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: auth access denied by =n
> send_ldap_result: err=50 matched="" text=""
> conn=0 op=0 RESULT tag=97 err=50 text=
> connection_get(12)
> ber_dump: buf=0x081304c8 ptr=0x081304c8 end=0x08130588 len=192
> 0000: 02 01 02 68 81 ba 04 24 63 6e 3d 74 6f 74 6f 33
> ...h...$cn=toto3
> 0010: 36 20 74 6f 74 6f 33 36 2c 6f 75 3d 2c 64 63 3d 6
> toto36,ou=,dc=
> 0020: 65 2d 71 75 61 6c 2c 64 63 3d 66 72 30 81 91 30
> e-qual,dc=fr0..0
> 0030: 15 04 02 63 6e 31 0f 04 0d 74 6f 74 6f 33 36 20
> ...cn1...toto36
> 0040: 74 6f 74 6f 33 36 30 08 04 02 6f 75 31 02 04 00
> toto360...ou1...
> 0050: 30 15 04 09 67 69 76 65 6e 6e 61 6d 65 31 08 04
> 0...givenname1..
> 0060: 06 74 6f 74 6f 33 36 30 0e 04 02 73 6e 31 08 04
> .toto360...sn1..
> 0070: 06 74 6f 74 6f 33 36 30 47 04 0b 6f 62 6a 65 63
> .toto360G..objec
> 0080: 74 63 6c 61 73 73 31 38 04 03 74 6f 70 04 0d 69
> tclass18..top..i
> 0090: 6e 65 74 6f 72 67 70 65 72 73 6f 6e 04 14 6f 72
> netorgperson..or
> 00a0: 67 61 6e 69 7a 61 74 69 6f 6e 61 6c 70 65 72 73
> ganizationalpers
> 00b0: 6f 6e 04 0c 6f 66 66 69 63 65 70 65 72 73 6f 6e
> on..officeperson
> ber_dump: buf=0x081304c8 ptr=0x081304cb end=0x08130588 len=189
> 0000: 68 81 ba 04 24 63 6e 3d 74 6f 74 6f 33 36 20 74
> h...$cn=toto36 t
> 0010: 6f 74 6f 33 36 2c 6f 75 3d 2c 64 63 3d 65 2d 71
> oto36,ou=,dc=e-q
> 0020: 75 61 6c 2c 64 63 3d 66 72 30 81 91 30 15 04 02
> ual,dc=fr0..0...
> 0030: 63 6e 31 0f 04 0d 74 6f 74 6f 33 36 20 74 6f 74 cn1...toto36
> tot
> 0040: 6f 33 36 30 08 04 02 6f 75 31 02 04 00 30 15 04
> o360...ou1...0..
> 0050: 09 67 69 76 65 6e 6e 61 6d 65 31 08 04 06 74 6f
> .givenname1...to
> 0060: 74 6f 33 36 30 0e 04 02 73 6e 31 08 04 06 74 6f
> to360...sn1...to
> 0070: 74 6f 33 36 30 47 04 0b 6f 62 6a 65 63 74 63 6c
> to360G..objectcl
> 0080: 61 73 73 31 38 04 03 74 6f 70 04 0d 69 6e 65 74
> ass18..top..inet
> 0090: 6f 72 67 70 65 72 73 6f 6e 04 14 6f 72 67 61 6e
> orgperson..organ
> 00a0: 69 7a 61 74 69 6f 6e 61 6c 70 65 72 73 6f 6e 04
> izationalperson.
> 00b0: 0c 6f 66 66 69 63 65 70 65 72 73 6f 6e
> .officeperson
> do_add: invalid dn (cn=toto36 toto36,ou=,dc=e-qual,dc=fr)
> send_ldap_result: err=34 matched="" text="invalid DN"
> conn=0 op=1 RESULT tag=105 err=34 text=invalid DN
> connection_get(12)
> ber_dump: buf=0x08128b78 ptr=0x08128b78 end=0x08128b7d len=5
> 0000: 02 01 03 42 00 ...B.
> conn=0 op=2 UNBIND
> conn=0 fd=12 closed
>
>
>