[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL debug woes.



I've been banging my head on ACLs for 2 days now and my biggest problem is that there's NO debug info (as far as I can tell.)

I have added the -d 13365 option to get debug output. All I receive in regard to my ACLs is this:

bdb_add: no write access to parent
send_ldap_result: conn=17 op=1 p=3
send_ldap_result: err=50 matched="" text="no write access to parent"

Any suggestions about debugging ACLs?  they *seem* simple enough.


The main thing I am trying to do is address books, and I've worked with this: http://www.zytrax.com/books/ldap/ch6/index.html#ex-addressbook a whole lot, and it's not helping because I get no information from slapd as to what's going on.


An addressbook is located in:
ou=Address Book,uid=X,ou=Y,dc=nodomain
where X is the username, ie: joe
and Y is the domain of the user, ie: test.com


The last attempt with my ACLs:

access to *
        by dn="cn=admin,dc=nodomain" write
        by self write
        by * read

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
        attrs=entry,children,@inetorgperson
    by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" write

access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
        attrs=entry
    by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" read


What I want to achieve is that anyone who can bind to the LDAP server can read/write their own addressbook. I also have a domain-wide addressbook at "ou=Address Book,ou=Y,dc=nodomain" again where Y is any of a number of domains. I'd like domain user access to this as well, but I'll try working on that after user AB's are working.



Any and all help/suggestions would be appreciated. Leeman Struot