[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL - user not able to modify self
- To: OpenLDAP-software@OpenLDAP.org, proguru2@yahoo.com
- Subject: ACL - user not able to modify self
- From: Mo Mahmoud <proguru2@yahoo.com>
- Date: Tue, 19 Jul 2005 12:06:51 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=FgaRVPq3aK3AR8FnApCemhkjovsG7ZuvJMTWQyRLdkxKhkOzKXyCYoD8gZWUk+aylF9vINIkLZGBt2dLJiLYAvxPdGMcTtoOTV7jV5AYchbuwVcgtm/Gs8Obzn43d+2VUk4PO5F+f/a6OZ09tzbbTCbyGNXpwcGvUeTyATxhcXY= ;
Hi.
Quick problem summary: Almost all acl's rules are
working fine except 'self' rules - eg. any person
cannot modify his/her directory information.
Detailed explanation:
I have setup an openldap instance and tree in the
following fashion:
Root node: suffix
underneath this there is a ou=people node
underneath this there are the ou's: admins, managers,
devels, priv users, reg users
My ACL list is as follows:
# Access rights
# Allow admins to modify managers, devels, priv.
users, users (continued below)
access to
dn.children="ou=managers,ou=people,dc=suffix"
by dn.children="ou=admins,ou=people,dc=suffix"
write
by self write
access to dn.children="ou=devels,ou=people,dc=suffix"
by dn.children="ou=admins,ou=people,dc=suffix"
write
by self write
# Allow managers to modify priv users and users
# Allow devels to read priv users and regular users
access to dn.children="ou=priv
users,ou=people,dc=suffix"
by dn.children="ou=admins,ou=people,dc=suffix"
write
by
dn.children="ou=managers,ou=people,dc=suffix" write
by dn.children="ou=devels,ou=people,dc=suffix"
read
by self write
access to dn.children="ou=reg
users,ou=people,dc=suffix"
by dn.children="ou=admins,ou=people,dc=suffix"
write
by
dn.children="ou=managers,ou=people,dc=suffix" write
by dn.children="ou=devels,ou=people,dc=suffix"
read
by self write
# Allow all users to authenticate,
# else if no other conditions are met, deny access
access to *
by anonymous auth
by self write
by none
As of right now I am simply using the tools that came
with ldap to do everything (eg. ldapadd, ldapmodify,
ldapsearch, etc)
For the most part this works as described in the
comments.
The problem occurs when a person (no matter what ou
they fall under) tries to modify their own information
(such as password, telephone, etc.) If a user tries to
do so they get the error: "ldap_bind: Insufficient
access (50)" and slapd generates the following output
(running with debug level of 384) (for this example i
tried to change a priv user's info as the user, the
same output will be generated regardless of the
person, so long as they are trying to modify their
information):
conn=0 fd=12 ACCEPT from IP=127.0.0.1:57120
(IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=blahUserName,ou=priv
users,ou=people,dc=suffix" method=128
=> access_allowed: auth access to
"cn=blahUserName,ou=priv users,ou=people,dc=suffix"
"authAuthority" requested
=> acl_get: [1] check attr authAuthority
=> dn: [2] ou=managers,ou=people,dc=suffix
=> dn: [3] ou=devels,ou=people,dc=suffix
=> dn: [4] ou=priv users,ou=people,dc=suffix
=> acl_get: [4] matched
=> acl_get: [4] check attr authAuthority
<= acl_get: [4] acl cn=blahUserName,ou=priv
users,ou=people,dc=suffix attr: authAuthority
=> acl_mask: access to entry "cn=blahUserName,ou=priv
users,ou=people,dc=suffix", attr "authAuthority"
requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: ou=admins,ou=people,dc=suffix
<= check a_dn_pat: ou=managers,ou=people,dc=suffix
<= check a_dn_pat: ou=devels,ou=people,dc=suffix
<= check a_dn_pat: self
<= acl_mask: no more <who> clauses, returning =n
(stop)
=> access_allowed: auth access denied by =n
conn=0 op=0 RESULT tag=97 err=50 text=
conn=0 fd=12 closed
Is there any way to do what I am trying to do as
described in the acl comments, and allow a person to
modify his/her info? Thanks in advance.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com