[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl problem

To: openldap-software@openldap.org
Subject: acl problem
From: Bernhard D Rohrer <graylion@sm-wg.net>
Date: Thu, 12 Apr 2007 13:05:53 +0100
User-agent: Thunderbird 1.5.0.10 (X11/20070306)

Hi folks

I am trying to get an acl for an address book to work.

the relevant acl statements are:

access to attrs=userPassword,userPKCS12
        by dn="cn=admin,dc=graylion,dc=net" write
        by anonymous auth
        by self write
        by * none


access to dn.base=""
        by * read

access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        by dn="uid=$1,ou=users,dc=graylion,dc=net" write
        by dn.regex="cn=admin,dc=graylion,dc=net" read
        by users none


access to *
        by dn="cn=admin,dc=graylion,dc=net" write
        by * read

I have also tried using

by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write

but in all cases I get (when I try to add something to my personal address book):

Apr 12 12:59:32 collab slapd[17093]: do_add Apr 12 12:59:32 collab slapd[17093]: >>> dnPrettyNormal: <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>

Apr 12 12:59:32 collab slapd[17093]: <<< dnPrettyNormal: <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>, <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>

Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 ADD dn="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"

Apr 12 12:59:32 collab slapd[17093]: bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")

Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id( "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" ) Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 12 12:59:32 collab slapd[17093]: bdb_referrals: op=104 target="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" matched="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net), objectClass "inetOrgPerson" Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net), objectClass "mozillaAbPersonAlpha" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "uid" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "objectClass" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "cn" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "givenName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "sn" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "displayName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "c" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "structuralObjectClass" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryUUID" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "creatorsName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "createTimestamp" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryCSN" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifiersName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifyTimestamp" Apr 12 12:59:32 collab slapd[17093]: bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")

Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id( "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" ) Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access to "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" "children" requested Apr 12 12:59:32 collab slapd[17093]: => dn: [2] Apr 12 12:59:32 collab slapd[17093]: => dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1 Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] matched Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] attr children Apr 12 12:59:32 collab slapd[17093]: => acl_mask: access to entry "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net", attr "children" requested Apr 12 12:59:32 collab slapd[17093]: => acl_mask: to all values by "uid=graylion,ou=users,dc=graylion,dc=net", (=n) Apr 12 12:59:32 collab slapd[17093]: <= acl_mask: no more <who> clauses, returning =n (stop) Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access denied by =n Apr 12 12:59:32 collab slapd[17093]: bdb_add: no write access to parent Apr 12 12:59:32 collab slapd[17093]: send_ldap_result: conn=72 op=2 p=3 Apr 12 12:59:32 collab slapd[17093]: send_ldap_response: msgid=3 tag=105 err=50 Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 RESULT tag=105 err=50 text=no write access to parent

now
dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1

seems to tell me that the regex gets matched correctly but on the other hand it totally seems to not find

'by dn="uid=$1,ou=users,dc=graylion,dc=net" write'

I seem to be missing something obvious. what is it?

thanks

Bernhard
--
Graylion's Fetish & Fashion Store
Goth and Kinky Boots, Clothing and Jewellery
http://www.graylion.net

Follow-Ups:
- Re: acl problem
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Syncrepl-Consumer deletes entries
Next by Date: Re: slapd crashing "randomly?"
Index(es):
- Chronological
- Thread