[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Decyphering openldap ACL logs
rajkumars@asianetindia.com writes:
> Hi,
>
> I am working on configuring qmail-ldap and facing some permission problems with my ldap configuration.
>
> My slapd.conf's acl section is some thing like
>
> access to attr=userPassword
> by anonymous auth
>
> access to *
> by dn="cn=admin,dc=com" write
> by aci write
> by * read
> with aci's configured in my directory.
You allowed read access to the enire tree.
> To debug the problem I enabled logging with level 128, and I am getting copious logs. I am some what able to make out what the logs mean, but in order to get the exact meaning I searched for some documentation about the logs entries. But could not find any.
>
> One of my logs fragment looks like this:
> => access_allowed: write access to "dc=cse,dc
> =com" "entry" requested
> => acl_get: [1] check attr entry
> => acl_get: [2] check attr entry
> <= acl_get: [2] acl dc=cse,dc=com attr: entry
> => acl_mask: access to entry "dc=cse,dc=com", attr "entry" requested
> => acl_mask: to all values by "uid=mailadmin, dc=com", (=n)
> <= check a_dn_pat: cn=admin,dc=com
> <= check a_dn_pat: *
> <= acl_mask: [3] applying read(=rscx) (stop)
> <= acl_mask: [3] mask: read(=rscx)
> => access_allowed: write access denied by rea
> d(=rscx)
uid=mailadmin,dc=com requests write access, rule 3 is applied, which
is 'access to * by * read'
-Dieter
--
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de