[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem



On 10/31/05, Samuel Tran <stran@amnh.org> wrote:
> > > >>>>>>On Wed, 2005-10-26 at 20:53 +0800, Feifei Jia wrote:
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>>Hi there,
> > > >>>>>>>
> > > >>>>>>>What I want to do is:
> > > >>>>>>>
> > > >>>>>>>Let the RDN under ou=Admin,dc=com have write permission to the RDN
> > > >>>>>>>like uid=foo,ou=People,dc=com
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>Do you want any entries in ou=Admin,dc=com to be able to write to any
> > > >>>>>>entries in ou=People,dc=com?
> > > >>>>>>
> > > >>>>>>Sam
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>Yes, that's exactly what I want to do. Could you tell me how to acheive this?
> > > >>>>>
> > > >>>>>
> > > >>>>Try this:
> > > >>>>
> > > >>>>access to dn.subtree="ou=People,dc=com"
> > > >>>>        by dn.one="ou=Admin,dc=com" write
> > > >>>>
> > > >>>>Sam
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>If I want to use regex to let DN like
> > > >>>"uid=test,ou=Admin,dc=demo1,dc=com" can write to entries in
> > > >>>"ou=People,dc=demo1,dc=com", and change "demo1" to "([^,]+)" , what
> > > >>>should I do? It seems I cannot combine subtree with regex.
> > > >>>
> > > >>>
> > > >>>
> > > >>According to man slapd.access, this should work for you:
> > > >>
> > > >>access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> > > >>        by dn.one,expand="ou=Admin,dc=$1,dc=com"
> > > >>
> > > >>Let me know if it is fine.
> > > >>
> > > >>Sam
> > > >>
> > > >>
> > > >>
> > > >>
> > > >
> > > >It seems not work, only get "Insufficient access (50)" error :(
> > > >Maybe "dn,one" is not a good choice?
> > > >
> > > >
> > > Sorry I forgot the access field. It should be:
> > >
> > > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> > >         by dn.one,expand="ou=Admin,dc=$1,dc=com" write
> > >
> > >
> > > --
> > > Sam
> > >
> >
> > Actually, I did add "write" in the "by" clause that day. And I run
> > "slapd -d 128", it showed something like "access denied" :(
> >
>
> Sorry I made a mistake; it should be $2 instead of $1 in the who clause:
>
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
>         by dn.one,expand="ou=Admin,dc=$2,dc=com" write
>
> Sam
>

Cool, that works, thanks.

But there's a weird problem, the "userPassword" of entries in
ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
the "userPassword", but when I used the "Password" to auth (say,
ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.

All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
added a new rule and put it before "access to attrs=userPassword"
(slapd.conf default ACL):
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword

Still the same :(
--
Thanks~