[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap Aci Problem



Hello!
       I am a new user to openldap and I am using it on the Debian and
openldap-2.2.13, and I have compiled it by using the following
sequence:

       #./configure --disable-bdb --enable-ldbm --with-ldbm-api=gdbm
--enable-crypt --enable-aci=yes
--prefix=/home/bhavesh/tmp/deleteme/
       #make depend

       #make

       #make install

       then I have made changes in the slapd.conf like database ldbm
       and my slapd.conf is like that

loglevel    2
include     /usr/local/ldap/etc/openldap/schema/core.schema
include     /usr/local/ldap/etc/openldap/schema/cosine.schema
include     /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
include     /usr/local/ldap/etc/openldap/schema/nis.schema

pidfile     /tmp/try//var/run/slapd.pid
argsfile    /tmp/try//var/run/slapd.args

database    ldbm
suffix      "dc=lan,dc=deeproot,dc=co,dc=in"
#rootdn     "cn=admin,dc=lan,dc=deeproot,dc=co,dc=in"
#rootpw     admin
rootdn      "uid=easypush,ou=people,dc=lan,dc=deeproot,dc=co,dc=in"
rootpw      easypush
#directory  /usr/local/ldap/var/openldap-ldbm
directory   /home/bhavesh/tmp/try/var/openldap-data

index       objectClass eq


access to *
    by aci write
    by * none

           I have followed the sequences from the following referance
http://www.openldap.org/faq/data/cache/634.html

In that referance I can't understand the second step. For Aci which
access.conf I have to change ?  I can't able to find access.conf in my
system, So I have writen "access to * by aci write " in the slapd.conf.
If you are knowing about access.conf then please tell me in which
access.conf I have to write?

my all ldif that I have addded to my server are :

dn: dc=lan,dc=deeproot,dc=co,dc=in
o: deeproot
dc: lan
objectClass: top
objectClass: organization
objectClass: dcObject

dn: ou=addressBook,dc=lan,dc=deeproot,dc=co,dc=in
ou: addressBook
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=lan,dc=deeproot,dc=co,dc=in
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=addressBook1,dc=lan,dc=deeproot,dc=co,dc=in
ou: addressBook1
objectClass: top
objectClass: organizationalUnit

dn: uid=bhavesh,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh
objectClass: organizationalUnit
objectClass: uidObject
ou: Deeproot

dn: uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh1
userPassword:: e0NSWVBUfXJmV2dxbk8vcklKZlU=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject

dn: uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh2
userPassword:: e0NSWVBUfURGSTVpd00vaDl2RU0=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject

dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh3
userPassword:: e0NSWVBUfVY5ZUo2TzRGV0I2akE=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
OpenLDAPaci:
1#entry#grant;r,w,s,c;[all]#access-id#uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in


     All these entries are successfully added, but what I want is that
entry of the dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in will
only access by the dn: uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
,so I have added the aci in the last entry.

But when I do

#ldapsearch -b "dc=lan,dc=deeproot,dc=co,dc=in" -D
"uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in" -W


# extended LDIF
#
# LDAPv3
# base <uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# bhavesh3, lan.deeproot.co.in
dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in
uid: bhavesh3
userPassword:: e0NSWVBUfVY5ZUo2TzRGV0I2akE=
objectClass: top
objectClass: account
objectClass: simpleSecurityObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Then the entry of  dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in is
readable to user bhavesh2, this should not be happen.

       Please help me if you find any step missing or wrong in the given
sequence.


Thanks,
  Bhavesh.