[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access Control by Organizational Unit?
Thanks to all for their help so far.
I am having a problem.. I can read, but not write to
the ldap db.
First, here is my set of access rules in slapd.conf:
access to * by * read
access to * by * search
access to *
by self write
by dn.base="cn=ldap-admin,o=test.com"
write
by * none
access to dn.regex="[^,]*,(ou=.*)" attr=userPassword
by self write
by dn.regex="cn=Manager,$1" write
by * auth
access to dn.regex="[^,]*,(ou=.*)"
by dn.regex="cn=Manager,$1" write
by * read
access to dn.regex="(ou=.*)" attr=children
by dn.regex="cn=Manager,$1" write
by * read
(Note, I changed the cn to Manager).
I can use the following command to successfully read
from the ldap db:
ldapsearch -LLL -b "ou=org1, o=test.com" -x -D \
"cn=Manager, ou=org1, o=test.com" -w password \
"(cn=*)" ou sn cn
And the correct data is read from the db. Meaning all
the cn entries within the OU org1 are listed as one
would expect ftom the syntax of the ldapsearch
command.
Great so far!
But, when I try to delete a person's cn entry, I
receive an error. Here's the command:
ldapmodify -x -D "cn=Manager, ou=org1, o=test.com" \
-w password
and then enter the following from stdin:
dn: cn=Rock1 , ou=org1, o=test.com
changetype: delete
{blank line} followed by ENTER
I receive the following error on stdout:
"ldap_delete: Insufficient access (50)
additional info: no write access to entry"
A slapd debug log (level 168) shows:
=> access_allowed: write access to "cn=Rock1 ,ou=org1
,o=test.com" "entry" requested
=> acl_get: [1] check attr entry
<= acl_get: [1] acl cn=Rock1,ou=org1,o=test.com attr:
entry
=> acl_mask: access to entry
"cn=Rock1,ou=org1,o=test.com", attr "entry" requested
=> acl_mask: to all values by
"cn=manager,ou=org1,o=test.com", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: write access denied by read(=rscx)
So, clearly I have read access, but not write access
for the Manager entry in the org1 OU.
Also clearly I do not understand how to create the
access lists.
Any advice would be appreciated. I decided that I can
have each OU use the dn: cn: Manager ou: org o:
test.com until I underastand more about the way this
works.
Thanks for helping, I appreciate it muchly.
HeatherL
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/