[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help with ACL's for Users/Groups



Hi -

First off, I want to apologize for posting to list when I really should
have read more.
Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin
Guide....and I'm still scratching my head wondering why this isn't working.

Here's my structure...
I have two Groups..."Home", and "Work"
I have two Users..."Me", and "You" These users have passwords

I can search my LDAP using the rootdn, and I'm able to add to each of the
Group AddressBooks "Home", and "Group" using the rootdn. What I can't seem
to do, is have user "Me" or "You" access any of the AddressBooks.

The user "Me" has access to "Home and "You" has access to "Work" each have
two different email addresses.

Again...the rootdn can see everything in Thunderbird...but it's "Me" and
"You" that seem to have no access/
Could someone please point me in the right direction.

I'm also using Apache Directory Studio, and I verified that the four
entries I added...two being place in the "Home" AddressBook, and the other
two in the "Work" AddressBook. The ACL's I'm using are below...and further
down is my LDIF I used to create my structure.

I've tried attrs=userPassword, and attr=userPassword...I've seen both of
these examples used

Thank you for any help.

# ACL1
access to attrs=userPassword
        by self write
        by anonymous auth
# ACL2
access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com"
        by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write
# ACL3
access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read
access to dn.base="" by * read
# ACL4
access to dn.base="cn=Subschema" by * read
# ACL5
disallow bind_anon

The LDIF I used...
# Initialize the suffix entry defined in slapd.conf
#
dn: dc=MyCompany,dc=com
objectclass: top
objectclass: organization
objectclass: dcObject
dc: MyCompany
o: cctr

#
# Initialize the AddressBooks heirarchy
#
dn: ou=AddressBooks,dc=MyCompany,dc=com
objectclass: top
objectclass: organizationalUnit
ou: AddressBooks

#
# Define individual address books
#
dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com
objectclass: top
objectclass: organization
o: Home

dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com
objectclass: top
objectclass: organization
o: Work

#
# Initialize the Users heirarchy
#
dn: ou=Users,dc=MyCompany,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Users

#
# Define individual users
#
dn: cn=Me,ou=Users,dc=MyCompany,dc=com
objectclass: top
objectclass: person
cn: Me
sn: My LastName
userPassword: {crypt}XXXXXX

dn: cn=You,ou=Users,dc=MyCompany,dc=com
objectclass: top
objectclass: person
cn: You
sn: You LastName
userPassword: {crypt}XXXXXX

#
# Initialize the Groups heirarchy
#
dn: ou=Groups,dc=MyCompany,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Groups

#
# Group users into separate address books
#
dn: o=Home,ou=Groups,dc=MyCompany,dc=com
objectclass: top
objectclass: groupOfNames
cn: Home
member: cn=Me,ou=Users,dc=MyCompany,dc=com

dn: o=Work,ou=Groups,dc=ucsb,dc=edu
objectclass: top
objectclass: groupOfNames
cn: Work
member: cn=You,ou=Users,dc=MyCompany,dc=com


-------------------
david stackis