[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL debug woes.
- To: openldap-software@OpenLDAP.org
- Subject: ACL debug woes.
- From: Leeman Strout <me@mooluv.com>
- Date: Thu, 12 Jan 2006 15:47:44 -0500
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051201 Thunderbird/1.5 Mnenhy/0.7.3.0
I've been banging my head on ACLs for 2 days now and my biggest problem
is that there's NO debug info (as far as I can tell.)
I have added the -d 13365 option to get debug output. All I receive in
regard to my ACLs is this:
bdb_add: no write access to parent
send_ldap_result: conn=17 op=1 p=3
send_ldap_result: err=50 matched="" text="no write access to parent"
Any suggestions about debugging ACLs? they *seem* simple enough.
The main thing I am trying to do is address books, and I've worked with
this: http://www.zytrax.com/books/ldap/ch6/index.html#ex-addressbook a
whole lot, and it's not helping because I get no information from slapd
as to what's going on.
An addressbook is located in:
ou=Address Book,uid=X,ou=Y,dc=nodomain
where X is the username, ie: joe
and Y is the domain of the user, ie: test.com
The last attempt with my ACLs:
access to *
by dn="cn=admin,dc=nodomain" write
by self write
by * read
access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
attrs=entry,children,@inetorgperson
by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" write
access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
attrs=entry
by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" read
What I want to achieve is that anyone who can bind to the LDAP server
can read/write their own addressbook. I also have a domain-wide
addressbook at "ou=Address Book,ou=Y,dc=nodomain" again where Y is any
of a number of domains. I'd like domain user access to this as well,
but I'll try working on that after user AB's are working.
Any and all help/suggestions would be appreciated.
Leeman Struot