[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL

Hi,
my DIT is some like this:

dc=<base>
|__ dc=<domain_1>
|     |__ o=<org_1>
|     |     |__cn=user_domain1_1
|     |     |__cn=user_domain1_2
|     |     |__cn=user_domain1_3
|     |__ o=<org_2>
|           |__cn=user_domain1_3
|           |__cn=user_domain1_4
|           |__cn=user_domain1_5
|__ dc=<domain_2>
     |__ o=<org_3>
     |     |__cn=user_domain2_1
     |     |__cn=user_domain2_2
     |     |__cn=user_domain2_3
     |__ o=<org_4>
           |__cn=user_domain2_3
           |__cn=user_domain2_4
           |__cn=user_domain2_5

I would like to create one administrative account for each domain (<domain_1> and <domain_2>)

Here is my way:

I create a new branch:

dc=<base>
|__ o=Administrators
      |__ou=<domain_1>_Administrators
           |__ cn=Administrator1

then I insert a new directive in slapd.conf

access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write

Here the response when I try to connect with <domain_1>Administrators credentials:

Error opening connection:
[LDAP: error code 49 - Invalid Credentials]

Here the OpenLDAP's output in debug mode

daemon: activity on 1 descriptor
daemon: activity on:            
slap_listener_activate(7):      
daemon: epoll: listen=7 busy    
>>> slap_listener(ldap://<my_host>:1389)
daemon: activity on 1 descriptor             
daemon: activity on:                         
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: listen=7, new connection on 11           
daemon: added 11r (active) listener=(nil)        
daemon: activity on 1 descriptor                 
daemon: activity on:                             
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor                 
daemon: activity on: 11r                         
daemon: read active on 11                        
daemon: epoll: listen=7 active_threads=0 tvp=NULL
connection_get(11): got connid=1000              
connection_read(11): checking for input on id=1000
ber_get_next                                      
ber_get_next: tag 0x30 len 83 contents:           
op tag 0x60, time 1268990296                      
ber_get_next
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>
<<< dnPrettyNormal: <cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>, <cn=administrator1,ou=<domain_1>dministrators,o=administrators,dc=<base>>
do_bind: version=3 dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" method=128
bdb_dn2entry("cn=administrator1,ou=<domain_1>administrators,o=administrators,dc=<base>")
=> bdb_dn2id("dc=<base>")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("o=administrators,dc=<base>")
<= bdb_dn2id: got id=0x12
=> bdb_dn2id("ou=<domain_1>administrators,o=administrators,dc=<base>")
<= bdb_dn2id: got id=0x13
=> bdb_dn2id("cn=administrator1,ou=<domain_1>administrators,o=administrators,dc=<base>")
<= bdb_dn2id: got id=0x14
entry_decode: "cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
<= entry_decode(cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>)
send_ldap_result: conn=1000 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 11
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
daemon: epoll: listen=7 active_threads=0 tvp=NULL
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next on fd 11 failed errno=0 (Success)
connection_read(11): input error=-2 id=1000, closing.
connection_closing: readying conn=1000 sd=11 for close
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
connection_close: conn=1000 sd=11
daemon: removing 11

Same result with this policy:
access to dn.subtree="dc=<domain_1>,dc=<base>" by * write

I can access only with this policy:
access to * by * write

I compiled opneldap 2.4.21 with default settings

Here my slapd.conf:

include         /sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema
include         /sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema

pidfile         /sw/test_domain_openldap-2.4.21/var/run/slapd.pid
argsfile        /sw/test_domain_openldap-2.4.21/var/run/slapd.args

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=<base>"
rootdn          "cn=Manager,dc=<base>"
rootpw          testdomain
directory       /sw/test_domain_openldap-2.4.21/var/openldap-data
index   objectClass     eq

access to * by * write
#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write
#access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write

thanks in advance!
Carlo