[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Headaches



* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050922 20:52]:
> Every ACL listing now has

I think the error is now in the 
'access to dn=".*,dc=qm"' Statement. Apparently you want dn.regex,
instead of dn.base (which is default), although I cannot see why.
Because this ACL is never evulated, your user has no write-access to
your LDAP-Tree.

If there not a pressing need to use dn.regex, use dn.subtree or
dn.children (look in man slapd.access)

> 	by dn="uid=silasb,ou=people,dc=qm" write
> 	by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write

Since you have now a working SASL-Regex the second by-clause will
never be evualeted true. The ACL-Engine sees only the modified ACLs,
so you can omit the second by-statement.

On a second note, if you want check a "dn" it is always better to use
dn.exact (usually that is what you want) (ok exact, or base, is the
default, but I like to have my ACLs 100% clear)

> ldap_add: Insufficient access (50)
> 	additional info: no write access to parent

-- 
Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
----------------- > encrypted E-Mail preferred <------------------------