[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL in 2.4.22




On 28 déc. 10, at 16:07, Nick Milas wrote:

Hi,

I have upgraded from 2.3.43 to 2.4.22 on CentOS 5.5.

Everything works fine, except my ACLs don't work on the new version. Strange results occur.

Has anything changed significantly in v2.4 ACLs in comparison to v2.3 ACLs?
Just a guess.
According to http://www.openldap.org/doc/admin24/appendix- upgrading.html: 'Search operations now require "search" privileges on the "entry" pseudo-attribute of the search base.' Maybe you need to add the search privilege at an upper level in your DIT.

Regards,
Thierry

For example, the following piece of code works as expected in v2.3 but not in v2.4. If some user logs in and is a member of a GroupXAdmins (where X = 1-6), he can't see the branch at all.

# Allow access to entries of the subtree
#
access to dn.sub="dc=12.11.10.in- addr.arpa,ou=dns1,dc=example,dc=com" attrs="children,entry" by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com" write by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com" read by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com" read by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com" write by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com" read by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com" read
       by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
       by * break

# Allow access to all attributes of the subtree
#
access to dn.sub="dc=12.11.10.in-addr.arpa,ou=dns1,dc=example,dc=com"
by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com" write by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com" read by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com" read by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com" write by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com" read by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com" read
       by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=com" read

where Groups are of the form:

  dn: cn=Group1Admins,ou=Groups,dc=example,dc=com
  objectClass: groupOfNames
  cn: Group1Admins
  member: uid=userx,ou=people,dc=example,dc=com

Please, help.

Nick