[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL's for ACI use
I'm trying to use the following ACL:
----- s n i p -----
access to dn.base=""
attrs=supportedSASLMechanisms,namingContexts
by domain=".*\.bayour\.com" read
by peername="IP=127\.0\.0\.1:.*" read
by * search
access to attrs=dc,c,o,ou,krb5PrincipalName,objectClass,entry
by domain=".*\.bayour\.com" read
by peername="IP=127\.0\.0\.1:.*" read
by aci=OpenLDAPaci write
access to * by * none
----- s n i p -----
The ACI entry (in _every_ object looks like):
----- s n i p -----
openLDAPaci: 1#entry#grant;r,w,s,c;[all]#access-id#cn=turbo fredriksson,ou=people,o=fredriksson,c=se
----- s n i p -----
The command 'ldapwhoami' (with 'access to * by * read') say:
----- s n i p -----
[tuzjfi.tty2]$ ldapwhoami -h localhost
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn:cn=turbo fredriksson,ou=people,o=fredriksson,c=se
----- s n i p -----
What happens is the following:
----- s n i p -----
[tuzjfi.tty2]$ ldapsearch -x -LLL -h localhost -b c=SE -s one 'o=Agby' o
dn: o=Agby,c=SE
o: Agby
o: Jens Agby
[tuzjfi.tty2]$ ldapsearch -LLL -h localhost -b c=SE -s one 'o=Agby' o
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn: o=Agby,c=SE
o: Agby
o: Jens Agby
[tuzjfi.tty2]$ cat /tmp/agby.ldif
dn: o=Agby,c=SE
replace: o
o: Agby
o: Jens Agby with Family
[tuzjfi.tty2]$ ldapmodify -h localhost -f /tmp/agby.ldif
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
modifying entry "o=Agby,c=SE"
ldapmodify: update failed: o=Agby,c=SE
ldap_modify: Insufficient access (50)
[tuzjfi.tty2]$
----- s n i p -----
Could someone please enlighten me on why I get 'Insufficient access'?
I've been able to figure out that it have something to do with missing
(or in the wrong place) keywords 'continue' and/or 'break', but I can't
be able to figure out why/how (I think I've tried EVERY combination!).