[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL Headaches

To: "Karsten Gorling" <kgorling@physik.tu-berlin.de>, <openldap-software@OpenLDAP.org>
Subject: RE: ACL Headaches
From: "Bennett, Silas \(GE Infrastructure\)" <Silas.Bennett@ge.com>
Date: Thu, 22 Sep 2005 17:09:17 -0400
Content-class: urn:content-classes:message
Thread-index: AcW/tmY/vE+X6hc6SRWWfKydwLqsMAAAiMVw
Thread-topic: ACL Headaches

Ok,

My slapd.access file now looks like:

#########
olcAccess: to dn.base=""
	by dn="cn=ldapadmin,dc=qm" write
	by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
	by dn.exact="uid=silasb,ou=people,dc=qm" write
	by self write
	by * read

olcAccess: to *
	by dn="cn=ldapadmin,dc=qm" write
	by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
	by dn.exact="uid=silasb,ou=people,dc=qm" write
	by * read
#########

ldap_add: Insufficient access (50)
 	additional info: no write access to parent

Tried replacing dn.base="" with dn.base="dc=qm" dn.subtree="dc=qm" dn.children="dc=qm"
dn.subtree="" dn.children=""

Same story...



-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Karsten
Gorling
Sent: Thursday, September 22, 2005 12:16 PM
To: openldap-software@OpenLDAP.org
Subject: Re: ACL Headaches


>* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050922 20:52]:
>> Every ACL listing now has
>
>I think the error is now in the 
>'access to dn=".*,dc=qm"' Statement. Apparently you want dn.regex,
>instead of dn.base (which is default), although I cannot see why.
>Because this ACL is never evulated, your user has no write-access to
>your LDAP-Tree.
>
>If there not a pressing need to use dn.regex, use dn.subtree or
>dn.children (look in man slapd.access)
>
>> 	by dn="uid=silasb,ou=people,dc=qm" write
>> 	by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write
>
>Since you have now a working SASL-Regex the second by-clause will
>never be evualeted true. The ACL-Engine sees only the modified ACLs,
>so you can omit the second by-statement.
>
>On a second note, if you want check a "dn" it is always better to use
>dn.exact (usually that is what you want) (ok exact, or base, is the
>default, but I like to have my ACLs 100% clear)
>
>> ldap_add: Insufficient access (50)
>> 	additional info: no write access to parent
>
>-- 
>Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
>Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
>E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
>Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
>PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
>----------------- > encrypted E-Mail preferred <------------------------
>

Follow-Ups:
- Re: ACL Headaches
  - From: Karsten Gorling <kgorling@physik.tu-berlin.de>

Prev by Date: Re: ACL Headaches
Next by Date: Re: ACL Headaches
Index(es):
- Chronological
- Thread