[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl problem



Hi folks

I am trying to get an acl for an address book to work.

the relevant acl statements are:

access to attrs=userPassword,userPKCS12
        by dn="cn=admin,dc=graylion,dc=net" write
        by anonymous auth
        by self write
        by * none


access to dn.base="" by * read

access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        by dn="uid=$1,ou=users,dc=graylion,dc=net" write
        by dn.regex="cn=admin,dc=graylion,dc=net" read
        by users none


access to * by dn="cn=admin,dc=graylion,dc=net" write by * read

I have also tried using

by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write

but in all cases I get (when I try to add something to my personal address book):

Apr 12 12:59:32 collab slapd[17093]: do_add
Apr 12 12:59:32 collab slapd[17093]: >>> dnPrettyNormal: <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>


Apr 12 12:59:32 collab slapd[17093]: <<< dnPrettyNormal: <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>, <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>

Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 ADD dn="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"

Apr 12 12:59:32 collab slapd[17093]: bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")

Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id( "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" )
Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 12 12:59:32 collab slapd[17093]: bdb_referrals: op=104 target="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" matched="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net), objectClass "inetOrgPerson"
Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net), objectClass "mozillaAbPersonAlpha"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "uid"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "objectClass"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "cn"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "givenName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "sn"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "displayName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "c"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "structuralObjectClass"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryUUID"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "creatorsName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "createTimestamp"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryCSN"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifiersName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifyTimestamp"
Apr 12 12:59:32 collab slapd[17093]: bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")


Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id( "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" )
Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access to "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" "children" requested
Apr 12 12:59:32 collab slapd[17093]: => dn: [2]
Apr 12 12:59:32 collab slapd[17093]: => dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] matched
Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] attr children
Apr 12 12:59:32 collab slapd[17093]: => acl_mask: access to entry "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net", attr "children" requested
Apr 12 12:59:32 collab slapd[17093]: => acl_mask: to all values by "uid=graylion,ou=users,dc=graylion,dc=net", (=n)
Apr 12 12:59:32 collab slapd[17093]: <= acl_mask: no more <who> clauses, returning =n (stop)
Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access denied by =n
Apr 12 12:59:32 collab slapd[17093]: bdb_add: no write access to parent
Apr 12 12:59:32 collab slapd[17093]: send_ldap_result: conn=72 op=2 p=3
Apr 12 12:59:32 collab slapd[17093]: send_ldap_response: msgid=3 tag=105 err=50
Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 RESULT tag=105 err=50 text=no write access to parent


now
dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1

seems to tell me that the regex gets matched correctly but on the other hand it totally seems to not find

'by dn="uid=$1,ou=users,dc=graylion,dc=net" write'

I seem to be missing something obvious. what is it?

thanks

Bernhard
--
Graylion's Fetish & Fashion Store
Goth and Kinky Boots, Clothing and Jewellery
http://www.graylion.net