[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL permission issue
- To: openldap-technical@openldap.org
- Subject: ACL permission issue
- From: Eduardo Santos <eduardo.edusantos@gmail.com>
- Date: Wed, 3 Nov 2010 12:02:48 -0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=klC4Yg+FLANyiza8F6B+KmM0OwObnQwlqvxpelR3amE=; b=qckdh158IDpUxhkdzd8Jj8PtKOvUXvzF7RhOwyFzN3nH4pqbEqHSI6q5I2Qyrqs/dL k5hmmyohQl5rznRAowimVJvrrYJlSAKoXcxhNpDq1eM40bCLrVIGXeHpi6oZ7w6B/cii EQpqCQG9hCYqgKnyULQgSdTbJwNLvEZTplu8w=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=ItBNwWJBajQa+dOnpaQU2JHLSupBhsflMRwgZbpqT/dNgrp8uNPgiibB8+iTQFwzUb 6918+euG7TqQm9KLqlxYU6xw2N8R6G38wGtslmrtW1WHGAlhnAcDJRqBulS8mQ5+nNPn JBWyWb0/D8ki1VC4WEUvoFXkINDbDCNznXyQg=
Hi everyone,
I'm facing an ACL problem for a long time, and I got to the point that I'm out of ideas. The problem is related to write in a specific branch of DIT. My DIT has the following hierachy
dc=spi,dc=net
->�c=cl
-->ou=users
--->ou=regular
--->ou=admin
The ACL should allow the users under the admin subtree to write in the regular subtree (admin and regular users model).
SO, I have the following ACL includes in slapd.conf:
include � � � � /etc/ldap/acls/acl.conf.default
include � � � � /etc/ldap/acls/acl.conf
The ACL files have the following lines:
#��/etc/ldap/acls/acl.conf.default
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
�� � � �by dn="cn=admin,dc=spi,dc=net" write
�� � � �by anonymous auth
�� � � �by self write
�� � � �by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. �Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work�
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
�� � � �by dn="cn=admin,dc=spi,dc=net" write
�� � � �by * read
#��/etc/ldap/acls/acl.conf
access to dn.children="ou=regular,ou=users,c=cl,dc=spi,dc=net"
�� � � �attrs="children"
�� � � �by dn.sub="ou=admins,ou=users,c=cl,dc=spi,dc=net" manage
�� � � �by * read
So, I created an user under the admin subtree with the following DN:
uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net
To test, I'm trying to add an user with the following LDIF file:
# Teste
description: Test
dn: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: spi # Customized class
cn: Teste
sn: teste
givenName: Teste
uid: teste
l: City
TimeZone: GMT-4
area: Gov
st: State
organization: Organization
o: SPI
preferredLanguage: en-US
However, when I try to add the user (ldapadd -x -D "uid=cl-admin,ou=admins,ou=usuarios,c=cl,dc=spi,dc=net" -W -f /tmp/test.ldif
I get the following error:
ldap_add: Insufficient access (50)
�� � � �additional info: no write access to parent
The debug output log for ACL's show me the following sequence of information:
Nov �3 12:00:47 nodo108 slapd[16629]: hdb_referrals: tag=104 target="uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net" matched="ou=regular,ou=users,c=cl,dc=spi,dc=net"
Nov �3 12:00:47 nodo108 slapd[16629]: ==> hdb_add: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_required entry (uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net), objectClass "spi"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "objectClass"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "cn"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "sn"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "givenName"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "uid"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "url"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "mail"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "l"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "timeZone"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "area"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "st"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "organization"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "o"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "preferredLanguage"
Nov �3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "structuralObjectClass"
Nov �3 12:00:47 nodo108 slapd[16629]: slap_queue_csn: queing 0xb6603a32 20101103140047.629760Z#000000#000#000000
Nov �3 12:00:47 nodo108 slapd[16629]: bdb_dn2entry("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net")
Nov �3 12:00:47 nodo108 slapd[16629]: => hdb_dn2id("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net")
Nov �3 12:00:47 nodo108 slapd[16629]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
Nov �3 12:00:47 nodo108 slapd[16629]: => access_allowed: add access to "ou=regular,ou=users,c=cl,dc=spi,dc=net" "children" requested
Nov �3 12:00:47 nodo108 slapd[16629]: => dn: [1] ou=regular,ou=users,c=cl,dc=spi,dc=net
Nov �3 12:00:47 nodo108 slapd[16629]: => dn: [3]�
Nov �3 12:00:47 nodo108 slapd[16629]: => acl_get: [4] attr children
Nov �3 12:00:47 nodo108 slapd[16629]: => acl_mask: access to entry "ou=regular,ou=users,c=cl,dc=spi,dc=net", attr "children" requested
Nov �3 12:00:47 nodo108 slapd[16629]: => acl_mask: to all values by "uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net", (=0)�
Nov �3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: cn=admin,dc=spi,dc=net
Nov �3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: *
Nov �3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] applying read(=rscxd) (stop)
Nov �3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] mask: read(=rscxd)
Nov �3 12:00:47 nodo108 slapd[16629]: => slap_access_allowed: add access denied by read(=rscxd)
Nov �3 12:00:47 nodo108 slapd[16629]: => access_allowed: no more rules
Nov �3 12:00:47 nodo108 slapd[16629]: hdb_add: no write access to parent
Nov �3 12:00:47 nodo108 slapd[16629]: send_ldap_result: conn=26 op=1 p=3
Nov �3 12:00:47 nodo108 slapd[16629]: send_ldap_result: err=50 matched="" text="no write access to parent"
Nov �3 12:00:47 nodo108 slapd[16629]: send_ldap_response: msgid=2 tag=105 err=50
Nov �3 12:00:47 nodo108 slapd[16629]: conn=26 op=1 RESULT tag=105 err=50 text=no write access to parent
I tried a lot of different solutions, but nothing seels to work. Anybody have a clue about how to fix it?