[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL's and write permission.




I went thru slapd.access and slapacl manuals, read the FAQ but I'm stuck. I cannot give some user privilege to write to some parts of my LDAP tree.

LDIF export of the relevant parts of my tree:
----------------------------
# Exportação LDIF para: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy
# Servidor: ldap sub.domain.xyz.xy (127.0.0.1)
# Abrangência da Busca: sub
# Filtro de Busca: (objectClass=*)
# Total de objetos: 1

dn: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: Administrador LDAP

# Exportação LDIF para: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy
# Servidor: ldap sub.domain.xyz.xy (127.0.0.1)
# Abrangência da Busca: base
# Filtro de Busca: (objectClass=*)
# Total de objetos: 1

dn: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy
ou: moodleusers
objectClass: organizationalUnit
objectClass: top

# Exportação LDIF para: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy
# Servidor: ldap sub.domain.xyz.xy (127.0.0.1)
# Abrangência da Busca: sub
# Filtro de Busca: (objectClass=*)
# Total de objetos: 1

dn: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy
uid: usuariomoodle-admin
userPassword: ...
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
----------------------------


and now slapd.conf:

----------------------------
# 1
access to dn.base="cn=Subschema"
        by * read

# 2
access to attrs=userPKCS12
        by self write
        by * auth

# 3
access to attrs=shadowLastChange
        by self write
        by * read

# 4
access to attrs=userPassword
        by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
        by anonymous    auth
        by self         write
        by *            none

# 5
access to dn.base=""
        by * read

# 6
access to *
        by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
        by * read

# 7
access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy"
        by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write


# Previous tries

#access to dn.subtree="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy"
# by dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write


#access to dn.children="dc=sub,dc=domain,dc=xyz,dc=xy"
#        by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write

#access to * (!)
# by dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write


suffix          "dc=sub,dc=domain,dc=xyz,dc=xy"

rootdn "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy"
rootpw ...
----------------------------

I also tried to set usuariomoodle-admin permissions to "=mwrscxd" since it's the exact output from slapacl for "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy". Following the acl's in that order I can't find where, if it exists, an acl breaks my acl number 7.
I used phpldapadmin, logged as usuariomoodle-admin, could not create child objects, neither modify existing ones. Using the external application (that this acl refers to) to try to write on the ldap tree didn't work. Finally slapacl showed just "rscxd" as the permissions for that user, despite the fact that I set write permission on the slapd.conf for that resource/that user.


  What's wrong?


thanks,

 lauro



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.