[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Letting Users Create Groups
> ACLs along these lines should do the rest
Actually, this doesn't seem to work:
access to
dn.exact="ou=Group,dc=example"
attrs=children
by users write
by * break
access to
dn.subtree="ou=Group,dc=example"
attrs=entry
filter="(&(objectClass=posixGroup)(objectClass=myGroup)(gidNumber>=1000)(gidNumber<=10000))"
by users add
by * break
access to
dn.subtree="ou=Group,dc=example"
attrs=manager,memberUid,description,myStatus
by set="this/manager & user" write
by * break
If I take out the "filter" line, it works fine, but with the "filter" line there it doesn't work, regardless of what gidNumber I provide.
The OpenLDAP log with "acl" logging enabled is attached. What do I need to add to these ACLs to get this working? I tried adding all the group-specific attributes to the "attrs=entry" line, but that did not help.
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354
slapd[50953]: => access_allowed: result not in cache (userPassword)
slapd[50953]: => access_allowed: auth access to "uid=webtest,ou=People,dc=example" "userPassword" requested
slapd[50953]: => acl_get: [1] attr userPassword
slapd[50953]: => acl_mask: access to entry "uid=webtest,ou=People,dc=example", attr "userPassword" requested
slapd[50953]: => acl_mask: to value by "", (=0)
slapd[50953]: <= check a_dn_pat: uid=replicator,ou=people,dc=example
slapd[50953]: <= check a_dn_pat: *
slapd[50953]: <= acl_mask: [3] applying +0 (break)
slapd[50953]: <= acl_mask: [3] mask: =0
slapd[50953]: => dn: [2] ou=pykota,dc=example
slapd[50953]: => dn: [3] ou=people,dc=example
slapd[50953]: => acl_get: [3] matched
slapd[50953]: => dn: [4] ou=people,dc=example
slapd[50953]: => acl_get: [4] matched
slapd[50953]: => access_allowed: search access to "uid=webtest,ou=People,dc=example" "objectClass" requested
slapd[50953]: => access_allowed: search access to "uid=webtest,ou=People,dc=example" "soeStatus" requested
slapd[50953]: => access_allowed: search access to "uid=webtest,ou=People,dc=example" "soeStatus" requested
slapd[50953]: => dn: [5] ou=people,dc=example
slapd[50953]: => acl_get: [5] matched
slapd[50953]: => acl_get: [5] attr userPassword
slapd[50953]: => acl_mask: access to entry "uid=webtest,ou=People,dc=example", attr "userPassword" requested
slapd[50953]: => acl_mask: to value by "", (=0)
slapd[50953]: <= check a_dn_pat: uid=radius,ou=people,dc=example
slapd[50953]: <= check a_dn_pat: self
slapd[50953]: <= check a_dn_pat: anonymous
slapd[50953]: <= check a_authz.sai_ssf: ACL 128 > OP 256
slapd[50953]: <= acl_mask: [3] applying auth(=xd) (stop)
slapd[50953]: <= acl_mask: [3] mask: auth(=xd)
slapd[50953]: => slap_access_allowed: auth access granted by auth(=xd)
slapd[50953]: => access_allowed: auth access granted by auth(=xd)
slapd[50953]: => access_allowed: search access to "ou=Group,dc=example" "entry" requested
slapd[50953]: <= root access granted
slapd[50953]: => access_allowed: search access granted by manage(=mwrscxd)
slapd[50953]: => access_allowed: search access to "ou=Group,dc=example" "entry" requested
slapd[50953]: <= root access granted
slapd[50953]: => access_allowed: search access granted by manage(=mwrscxd)
slapd[50953]: slap_queue_csn: queing 0x7fffff3fd220 20110318163310.018942Z#000000#000#000000
slapd[50953]: => access_allowed: add access to "ou=Group,dc=example" "children" requested
slapd[50953]: => acl_get: [1] attr children
slapd[50953]: => acl_mask: access to entry "ou=Group,dc=example", attr "children" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0)
slapd[50953]: <= check a_dn_pat: uid=replicator,ou=people,dc=example
slapd[50953]: <= check a_group_pat: cn=ldap-admins,ou=group,dc=example
slapd[50953]: => bdb_entry_get: found entry: "cn=ldap-admins,ou=group,dc=example"
slapd[50953]: <= check a_dn_pat: *
slapd[50953]: <= acl_mask: [3] applying +0 (break)
slapd[50953]: <= acl_mask: [3] mask: =0
slapd[50953]: => dn: [2] ou=pykota,dc=example
slapd[50953]: => dn: [3] ou=people,dc=example
slapd[50953]: => dn: [4] ou=people,dc=example
slapd[50953]: => dn: [5] ou=people,dc=example
slapd[50953]: => dn: [6] ou=people,dc=example
slapd[50953]: => dn: [7] ou=people,dc=example
slapd[50953]: => dn: [8] ou=people,dc=example
slapd[50953]: => dn: [9] ou=people,dc=example
slapd[50953]: => dn: [10] ou=group,dc=example
slapd[50953]: => acl_get: [10] matched
slapd[50953]: => acl_get: [10] attr children
slapd[50953]: => acl_mask: access to entry "ou=Group,dc=example", attr "children" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0)
slapd[50953]: <= check a_dn_pat: users
slapd[50953]: <= acl_mask: [1] applying write(=wrscxd) (stop)
slapd[50953]: <= acl_mask: [1] mask: write(=wrscxd)
slapd[50953]: => slap_access_allowed: add access granted by write(=wrscxd)
slapd[50953]: => access_allowed: add access granted by write(=wrscxd)
slapd[50953]: => access_allowed: add access to "cn=foo,ou=Group,dc=example" "entry" requested
slapd[50953]: => acl_get: [1] attr entry
slapd[50953]: => acl_mask: access to entry "cn=foo,ou=Group,dc=example", attr "entry" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0)
slapd[50953]: <= check a_dn_pat: uid=replicator,ou=people,dc=example
slapd[50953]: <= check a_group_pat: cn=ldap-admins,ou=group,dc=example
slapd[50953]: <= check a_dn_pat: *
slapd[50953]: <= acl_mask: [3] applying +0 (break)
slapd[50953]: <= acl_mask: [3] mask: =0
slapd[50953]: => dn: [2] ou=pykota,dc=example
slapd[50953]: => dn: [3] ou=people,dc=example
slapd[50953]: => dn: [4] ou=people,dc=example
slapd[50953]: => dn: [5] ou=people,dc=example
slapd[50953]: => dn: [6] ou=people,dc=example
slapd[50953]: => dn: [7] ou=people,dc=example
slapd[50953]: => dn: [8] ou=people,dc=example
slapd[50953]: => dn: [9] ou=people,dc=example
slapd[50953]: => dn: [10] ou=group,dc=example
slapd[50953]: => dn: [11] ou=group,dc=example
slapd[50953]: => acl_get: [11] matched
slapd[50953]: => access_allowed: search access to "cn=foo,ou=Group,dc=example" "objectClass" requested
slapd[50953]: => access_allowed: search access to "cn=foo,ou=Group,dc=example" "objectClass" requested
slapd[50953]: => dn: [12] ou=group,dc=example
slapd[50953]: => acl_get: [12] matched
slapd[50953]: => acl_get: [13] attr entry
slapd[50953]: => acl_mask: access to entry "cn=foo,ou=Group,dc=example", attr "entry" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0)
slapd[50953]: <= check a_peername_path: 128.114..*
slapd[50953]: => acl_string_expand: pattern: 128.114..*
slapd[50953]: => acl_string_expand: expanded: 128.114..*
slapd[50953]: <= acl_mask: [1] applying read(=rscxd) (stop)
slapd[50953]: <= acl_mask: [1] mask: read(=rscxd)
slapd[50953]: => slap_access_allowed: add access denied by read(=rscxd)
slapd[50953]: => access_allowed: no more rules
slapd[50953]: slap_graduate_commit_csn: removing 0x807016790 20110318163310.018942Z#000000#000#000000