[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL Headaches
Ok,
My slapd.access file now looks like:
#########
olcAccess: to dn.base=""
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
by dn.exact="uid=silasb,ou=people,dc=qm" write
by self write
by * read
olcAccess: to *
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
by dn.exact="uid=silasb,ou=people,dc=qm" write
by * read
#########
ldap_add: Insufficient access (50)
additional info: no write access to parent
Tried replacing dn.base="" with dn.base="dc=qm" dn.subtree="dc=qm" dn.children="dc=qm"
dn.subtree="" dn.children=""
Same story...
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Karsten
Gorling
Sent: Thursday, September 22, 2005 12:16 PM
To: openldap-software@OpenLDAP.org
Subject: Re: ACL Headaches
>* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050922 20:52]:
>> Every ACL listing now has
>
>I think the error is now in the
>'access to dn=".*,dc=qm"' Statement. Apparently you want dn.regex,
>instead of dn.base (which is default), although I cannot see why.
>Because this ACL is never evulated, your user has no write-access to
>your LDAP-Tree.
>
>If there not a pressing need to use dn.regex, use dn.subtree or
>dn.children (look in man slapd.access)
>
>> by dn="uid=silasb,ou=people,dc=qm" write
>> by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write
>
>Since you have now a working SASL-Regex the second by-clause will
>never be evualeted true. The ACL-Engine sees only the modified ACLs,
>so you can omit the second by-statement.
>
>On a second note, if you want check a "dn" it is always better to use
>dn.exact (usually that is what you want) (ok exact, or base, is the
>default, but I like to have my ACLs 100% clear)
>
>> ldap_add: Insufficient access (50)
>> additional info: no write access to parent
>
>--
>Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
>Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309
>E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
>Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
>PGP-Fingerprint: 4BEF 23EA 02AE BACA 9918 31FF 285B 0426 0E1A B2FC
>----------------- > encrypted E-Mail preferred <------------------------
>