[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problem
- To: Samuel Tran <stran@amnh.org>
- Subject: Re: ACL problem
- From: Feifei Jia <shenmue71@gmail.com>
- Date: Wed, 2 Nov 2005 10:48:28 +0800
- Cc: openldap <openldap-software@OpenLDAP.org>
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sRRqY483EDzkP1v4H8KGRzwymu9xh02e4bB1DZE2K1af7AhsgTD5gIbXC4ttj+47zkzkrOupsrBYzFDH6cI7grfI6XTOuDrCXB4AO2X//xRPoJZd0U5AQ2FKOX41Fj+4IJosL7/Gy6jZCmYclSgUglBRScJXKMR7ZsXTbe3bWFo=
- In-reply-to: <1130856921.12385.8.camel@mistral>
- References: <7522130a0510260553q1de0c6edk9510d187edf9d234@mail.gmail.com> <1130441554.19753.34.camel@mistral> <7522130a0510272231l2098fb3dy446edd0b1d4caea6@mail.gmail.com> <1130509896.23198.9.camel@mistral> <7522130a0510290428k5e8f05e6ie6b0a86778ba5ec9@mail.gmail.com> <43639733.5070907@amnh.org> <7522130a0510310545g69e0e01drf4de54f3f27a6522@mail.gmail.com> <1130773664.5484.19.camel@mistral> <7522130a0511010600x7d2d47a6la239019e427a43ed@mail.gmail.com> <1130856921.12385.8.camel@mistral>
On 11/1/05, Samuel Tran <stran@amnh.org> wrote:
> > But there's a weird problem, the "userPassword" of entries in
> > ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
> > entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
> > the "userPassword", but when I used the "Password" to auth (say,
> > ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.
> >
> > All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
> > added a new rule and put it before "access to attrs=userPassword"
> > (slapd.conf default ACL):
> > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
> >
> > Still the same :(
>
> Please could you post all your ACL rules?
>
> Try to add this rule before the other rule:
>
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> attrs=userPassword
> by dn.one,expand="ou=Admin,dc=$2,dc=com" write
> by self write
> by anonymous auth
>
> This will allow:
> - the admins to modify userPassword
> - the users to modify their own userPassword
> - anonymous to authenticate
>
> --
> Sam
Sorry for the inconvenient :)
My original ACL ("cn=admin,dc=com" is my slapd db admin account):
=========================snip1=========================
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
by dn="cn=admin,ou=vd" write
by dn.one,expand="ou=Admin,dc=$2,dc=com" write
by self write
by anonymous auth
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
by dn="cn=admin,ou=vd" write
by dn.one,expand="ou=Admin,dc=$2,dc=com" write
by self write
by anonymous auth
access to attrs=userPassword
by dn="cn=admin,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=com" write
by * none
=========================snip1=========================
But it still had the same problem, I could add or modify
"userPassword" attribute to entries in ou=People,dc=([^,]+),dc=com,
when auth it showed "Invalid credentials", just like typed wrong
password.
And I changed my ACL to:
=========================snip2=========================
access to dn.regex="ou=People,dc=([^,]+),dc=com"
by dn="cn=admin,ou=vd" write
by dn.regex,expand="ou=Admin,dc=$1,dc=com" write
by self write
by anonymous auth
access to attrs=userPassword
by dn="cn=admin,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=com" write
by * none
=========================snip2=========================
It seems that things are looking good now.
Thanks for your help, I really appreciated that :)
--
Thanks~