[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl sets don't appear to work

To: openldap-software@OpenLDAP.org
Subject: acl sets don't appear to work
From: Robert Kean <rkean@keanconsulting.com>
Date: Sat, 21 Jan 2006 14:47:52 -0500
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

I'm running OpenLDAP 2.1.30 on a Gentoo linux system. I've been running

this with samba 3.0.14a very successfully for over a year. When I set this system up, I followed the howto presented by idealx.org, and I've been pretty happy with the results.

But, recently, I decided that logging in as root and/or cn=Manager to do maintenance on the DIT was not a very good idea. I figured, having a "Domain Admins" group defined in my ldap directory should provide me with an excellent control for who can/cannot edit the DIT...

regretfully, the memberUID attribute only stores the shortname for users, so this has complicated setting up acl's for superuser access to the directory. I discovered acl sets. But, I can't seem to get them working.

I've followed the examples in the Faq-O-Matic "Sets in Access Controls" (http://www.openldap.org/faq/index.cgi?_highlightWords=sets%20in%20access%20controls&file=1133)

"Sets as 'reverse groups' (http://www.openldap.org/faq/index.cgi?_highlightWords=reverse%20groups&file=1134)

I even went so far as to insert an extremely basic acl at the beginning of the acl list access to dn="uid=testuser,ou=Users,dc=example,dc=com" by set.exact="user/uid & [adminuser]" write by * read

when I attempt to edit an attribute of this user, I get ... Jan 19 19:31:20 [slapd] => acl_mask: access to entry "uid=testuser,ou=Users,dc=example,dc=com", attr "description" requested_ Jan 19 19:31:20 [slapd] => acl_mask: to all values by "uid=adminuser,ou=users,dc=example,dc=com", (=n) _ Jan 19 19:31:20 [slapd] <= check a_dn_pat: *_ Jan 19 19:31:20 [slapd] <= acl_mask: [2] applying read(=rscx) (stop)_ Jan 19 19:31:20 [slapd] <= acl_mask: [2] mask: read(=rscx)_ Jan 19 19:31:20 [slapd] => access_allowed: write access denied by read(=rscx)_

this is obviously a less complex acl than I will need to allow all users listed in the memberUid attribute of the posixAccount, but if I can't make this work, I'll never make the real acl work. Am I configuring it wrong, or is there a config option that I missed during compilation?

Thanks,

rob

Follow-Ups:
- Re: acl sets don't appear to work
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: RE: [ldap] Implementation Suggestions
Next by Date: Re: acl sets don't appear to work
Index(es):
- Chronological
- Thread