[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL's and dynlist confusion
Hi,
I am using openldap 2.3.24 and have the following ACL:
# for everything else, admins can read & write
access to *
by group="cn=LdapAdmins,ou=Groups,dc=nsd,dc=org" write
by * none
My test account is a member of ldapadmins:
dn: cn=ldapadmins,ou=Groups,dc=nsd,dc=org
cn: ldapadmins
objectClass: nsdGroupOfMemberURLs
nsdGroupOwner: Technology
description: ldapadmins management group
memberURL:
ldap:///ou=staff,ou=people,dc=nsd,dc=org??sub?(nsdGroups=ldapadmins
)
gidNumber: 11011
member: uid=test2,ou=staff,ou=People,dc=nsd,dc=org
However, when I try to access an object:
ldapsearch -x -W -D "uid=test2,ou=staff,ou=people,dc=nsd,dc=org" -h
srvld01 -b "ou=staff,ou=people,dc=nsd,dc=org" '(uid=test1)'
I get the following in the logs on the server:
Jul 21 15:26:15 localhost slapd[14554]: => acl_mask: access to entry
"uid=test1,ou=staff,ou=People,dc=nsd,dc=org", attr "uid" requested
Jul 21 15:26:15 localhost slapd[14554]: => acl_mask: to value by
"uid=test2,ou=staff,ou=people,dc=nsd,dc=org", (=0)
Jul 21 15:26:15 localhost slapd[14554]: <= check a_group_pat:
cn=ldapadmins,ou=groups,dc=nsd,dc=org
Jul 21 15:26:15 localhost slapd[14554]: => bdb_entry_get: found entry:
"cn=ldapadmins,ou=groups,dc=nsd,dc=org"
Jul 21 15:26:15 localhost slapd[14554]: <= bdb_entry_get: failed to find
objectClass groupOfNames
Jul 21 15:26:15 localhost slapd[14554]: <= check a_dn_pat: *
Jul 21 15:26:15 localhost slapd[14554]: <= acl_mask: [2] applying
none(=0) (stop)
Jul 21 15:26:15 localhost slapd[14554]: <= acl_mask: [2] mask: none(=0)
Jul 21 15:26:15 localhost slapd[14554]: => access_allowed: search access
denied by none(=0)
Why is it asking for the groupOfNames objectclass. Do I have to add
this object class to my schema for dynlists?
Thanks,
ski
--
"When we try to pick out anything by itself, we find it
connected to the entire universe" John Muir
Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803