[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Openldap Aci Problem
Hello!
I am a new user to openldap and I am using it on the Debian and
openldap-2.2.13, and I have compiled it by using the following
sequence:
#./configure --disable-bdb --enable-ldbm --with-ldbm-api=gdbm
--enable-crypt --enable-aci=yes
--prefix=/home/bhavesh/tmp/deleteme/
#make depend
#make
#make install
then I have made changes in the slapd.conf like database ldbm
and my slapd.conf is like that
loglevel 2
include /usr/local/ldap/etc/openldap/schema/core.schema
include /usr/local/ldap/etc/openldap/schema/cosine.schema
include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/ldap/etc/openldap/schema/nis.schema
pidfile /tmp/try//var/run/slapd.pid
argsfile /tmp/try//var/run/slapd.args
database ldbm
suffix "dc=lan,dc=deeproot,dc=co,dc=in"
#rootdn "cn=admin,dc=lan,dc=deeproot,dc=co,dc=in"
#rootpw admin
rootdn "uid=easypush,ou=people,dc=lan,dc=deeproot,dc=co,dc=in"
rootpw easypush
#directory /usr/local/ldap/var/openldap-ldbm
directory /home/bhavesh/tmp/try/var/openldap-data
index objectClass eq
access to *
by aci write
by * none
I have followed the sequences from the following referance
http://www.openldap.org/faq/data/cache/634.html
In that referance I can't understand the second step. For Aci which
access.conf I have to change ? I can't able to find access.conf in my
system, So I have writen "access to * by aci write " in the slapd.conf.
If you are knowing about access.conf then please tell me in which
access.conf I have to write?
my all ldif that I have addded to my server are :
dn: dc=lan,dc=deeproot,dc=co,dc=in
o: deeproot
dc: lan
objectClass: top
objectClass: organization
objectClass: dcObject
dn: ou=addressBook,dc=lan,dc=deeproot,dc=co,dc=in
ou: addressBook
objectClass: top
objectClass: organizationalUnit
dn: ou=People,dc=lan,dc=deeproot,dc=co,dc=in
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=addressBook1,dc=lan,dc=deeproot,dc=co,dc=in
ou: addressBook1
objectClass: top
objectClass: organizationalUnit
dn: uid=bhavesh,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh
objectClass: organizationalUnit
objectClass: uidObject
ou: Deeproot
dn: uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh1
userPassword:: e0NSWVBUfXJmV2dxbk8vcklKZlU=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
dn: uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh2
userPassword:: e0NSWVBUfURGSTVpd00vaDl2RU0=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh3
userPassword:: e0NSWVBUfVY5ZUo2TzRGV0I2akE=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
OpenLDAPaci:
1#entry#grant;r,w,s,c;[all]#access-id#uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
All these entries are successfully added, but what I want is that
entry of the dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in will
only access by the dn: uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
,so I have added the aci in the last entry.
But when I do
#ldapsearch -b "dc=lan,dc=deeproot,dc=co,dc=in" -D
"uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in" -W
# extended LDIF
#
# LDAPv3
# base <uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# bhavesh3, lan.deeproot.co.in
dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh3
userPassword:: e0NSWVBUfVY5ZUo2TzRGV0I2akE=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Then the entry of dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in is
readable to user bhavesh2, this should not be happen.
Please help me if you find any step missing or wrong in the given
sequence.
Thanks,
Bhavesh.