[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Ldap access lines for replicator
- To: <openldap-software@OpenLDAP.org>
- Subject: Ldap access lines for replicator
- From: "Nolan Rumble" <nmr@sun.ac.za>
- Date: Thu, 26 Jan 2006 09:37:00 +0200
- Content-class: urn:content-classes:message
- Thread-index: AcYiS3G7quzYLwbCTOi6lD4kCmZ3qg==
- Thread-topic: Ldap access lines for replicator
Hi,
I've managed to setup slurpd on one of my servers and a slave server on
another one. The problem I'm having is that the replicator user
(cn=replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za) doesn't seem to be
getting permission to write to the database.
All the data below is for my slave server:
My access lines are as follows:
In slapd.conf:
# Define global ACLs to disable default read access and provide default
# behaviour for samba/pam use
include /etc/openldap/slapd.access.conf
# Replicas running syncrepl as non-rootdn need unrestricted size/time
limits:
limits dn.exact="cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za"
size=unlimited
time=unlimited
In slapd.access.conf:
# The root DIT should be accessible to all clients
access to dn.exact=""
by * read
# So should the schema
access to dn.subtree="cn=Subschema"
by * read
access to dn.regex="^([^,]*,)?ou=exam,ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,
sambaPwdLastSet
by dn.exact,expand="cn=root,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by dn.exact,expand="cn=Replicator,ou=People,$2" write
by anonymous auth
by * none
access to dn.regex="^([^,]*,)+ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,
sambaPwdLastSet
by self write
by dn.exact,expand="cn=root,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by dn.exact,expand="cn=Replicator,ou=People,$2" write
by anonymous auth
by * none
access to dn.regex="([^,]*,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=inetOrgPerson,mail
by self write
by dn.exact,expand="cn=root,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by dn.exact,expand="cn=Replicator,ou=People,$2" write
by users read
by anonymous read
# catch-all
access to dn.regex="([^,]*,)?(dc=[^,]+(,dc=[^,]+)*)$"
by dn.exact,expand="cn=root,$2" write
by dn.exact,expand="cn=Replicator,ou=People,$2" write
by * read
## Finished
My error log is as follows (logging 128):
Jan 26 09:31:40 hubble slapd[32237]: => access_allowed: auth access to
"cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za" "userPassword"
requested
Jan 26 09:31:40 hubble slapd[32237]: => dn: [1]
Jan 26 09:31:40 hubble slapd[32237]: => dn: [2] cn=subschema
Jan 26 09:31:40 hubble slapd[32237]: => dnpat: [3]
^([^,]*,)?ou=exam,ou=People,(dc=[^,]+(,dc=[^,]+)*)$ nsub: 3
Jan 26 09:31:40 hubble slapd[32237]: => dnpat: [4]
^([^,]*,)+ou=People,(dc=[^,]+(,dc=[^,]+)*)$ nsub: 3
Jan 26 09:31:40 hubble slapd[32237]: => acl_get: [4] matched
Jan 26 09:31:40 hubble slapd[32237]: => acl_get: [4] attr userPassword
Jan 26 09:31:40 hubble slapd[32237]: access_allowed: no res from state
(userPassword)
Jan 26 09:31:40 hubble slapd[32237]: => acl_mask: access to entry
"cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za", attr "userPassword"
requested
Jan 26 09:31:40 hubble slapd[32237]: => acl_mask: to value by "", (=0)
Jan 26 09:31:40 hubble slapd[32237]: <= check a_dn_pat: self
Jan 26 09:31:40 hubble slapd[32237]: <= check a_dn_pat: cn=root,$2
Jan 26 09:31:40 hubble slapd[32237]: <= acl_mask: no more <who> clauses,
returning =0 (stop)
Jan 26 09:31:40 hubble slapd[32237]: => access_allowed: auth access
denied by =0
## end of log
Any help would be appreciated :)
Thanks
Nolan