[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL to create a CRUD to OpenLDAP

To: openldap-technical@openldap.org
Subject: ACL to create a CRUD to OpenLDAP
From: MrBiTs <mrbits.dcf@gmail.com>
Date: Wed, 07 Jul 2010 10:31:58 -0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:openpgp :content-type:content-transfer-encoding; bh=lxbSAmEvZxtTyOozszhNzXIiXKyyUTu7RsV0YbPywkQ=; b=wFdYhpP5UvQCftAH8RTqdCWDFzNSaLm0nrJl9sNHWcWF4Y9HX/KCvkZnNE7DhmqfXu NcjvzHn1LVCs5RR+l6BHf29wtbuKiMzdMh7YzwZWeRFSDqw1RXvADLLn5jid0cyp1a1e vs/xQaqCVlmWxqNEAGC63zVcJmZwaaHHGDMtA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=UDaW/fulU6iFh+1C5tr14Ofpa2sOsAr0/McFvzBiSPgX2OPxm1JMBya/VoESiPFTDA wvUUHSYw0ustgL5oiFeYtkTPieJkd0Er1qXfyR6N95/qPAdXTsS/vhmEFPehlN/1VD2w iq1m3WIbBeUSQdRykb13E0uicfqFE785bdg8A=
Openpgp: id=2B3CA5AB
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Lightning/1.0b1 Thunderbird/3.0.5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi, all

I'm writing a little script to allow some people to manage LDAP users, as a CRUD. I created a user
uid=crud,ou=Applications,dc=domain,dc=org and I need to allow this user to add, modify and delete users that only belongs to
ou=FTPUsers,dc=domain,dc=org.

I wrote this ACL in slapd.conf:

access to dn.subtree="ou=FTPUsers,dc=domain,dc=org"
        by dn.exact="cn=Admin,dc=domain,dc=org" write
        by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write
        by self write
        by * read

Testing ACL, I had:

[root@svr2021 openldap2.4]# slapacl2.4 -f /etc/openldap2.4/slapd.conf -b "uid=crud,ou=Applications,dc=domain,dc=org" -D
"uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org" "uid/write:"
authcDN: "uid=ftppinguim,ou=ftpusers,dc=domain,dc=org"
write access to uid=: DENIED

So, the ACL is not working. If I ask to uid/read:, I have access allowed.

Later I changed my ACL to dn.children, but the result was the same.

I'm using LDAP 2.4 and I would like to know if somebody already did the same configuration or has tips or docs to read.

Thanks a lot

.0. MrBiTs - mrbits.dcf@gmail.com
..0 GnuPG  - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB
000 http://www.mrbits.com.br


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJMNIHOAAoJEG7IGPwrPKWrkuwH/juH+H2qAyF40BB6AhpLyEN8
OxYkrtZkNYdg/8H3RPNByYyOHIr+VwKutsvp9RD6By+kFSFj1WvcvgtyDby5P4cs
EgGYsYmtQuiK1VNz7EWbK5hOEzqGly8ipP5QZ+jqTa03TGbq1zWJy44ZytbArWSA
iXyzFeg09H/OdWFYITieSDKSFj35WJ8fIOJOaG+qQh5Sa1p5ti45TIQRZgtM9Drv
UL7GmEja2Gahal9Ka5fF3zxriLmpoCq8hOL2ZdhGdYfpG3KloBshcDkOFIXz/Z7W
B80oBJI+NHG4fIr5WWKl0U28DfFWKHWr8oCqes0tttx28QBA7c2nXzy7D/pKgmU=
=g3tQ
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ACL to create a CRUD to OpenLDAP
  - From: Zdenek Styblik <stybla@turnovfree.net>
- RE: ACL to create a CRUD to OpenLDAP
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

Prev by Date: Re: Question about password storage.
Next by Date: Re: ACL to create a CRUD to OpenLDAP
Index(es):
- Chronological
- Thread