[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object

To: Terje Trane <terjet@funcom.com>
Subject: Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
From: Jonas Kellens <jonas.kellens@telenet.be>
Date: Tue, 01 Apr 2014 11:04:15 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <533A7E93.7040703@funcom.com>
References: <530F578E.5080406@telenet.be> <D6CAF4AF70DC435E24DA423B@[192.168.1.2]> <5321BCB1.2090409@telenet.be> <A1D882AA20147B7C5BF3628C@[192.168.1.46]> <53392ABA.1060302@telenet.be> <1396263134.16013.13.camel@bombur.uio.no> <533A71B8.2070302@telenet.be> <533A7E93.7040703@funcom.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

On 01-04-14 10:53, Terje Trane wrote:

On 01.04.2014 09:58, Jonas Kellens wrote:

even if I add at the beginning of slapd.conf the following :

access to * by *

I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain'

I only get result with 'cn=Manager,dc=mydomain'

Remember that ACLs are "first match used".

If a database does not have an ACL the global ACL applies.

But if it has a database specific ACL, that one is read first when accessing that particular database, and the global then *only* used if there is no match (or a control keyword like break or continue is specified)

I posted it before, but will post it again. This is the database specific ACL :

database        bdb
suffix          "dc=mydomain"
rootdn          "cn=Manager,dc=mydomain"
rootpw         {SSHA}blCAG/CNdFPY597Cf4Ssuj

access to attrs=userPassword
        by * auth

access to dn.regex="ou=tbook[12345],ou=contacten,ou=101001,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by * none break

access to dn.
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook2,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook3,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook4,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook5,ou=gebruikers,ou=101001,dc=mydomain" read

If user 'cn=U101001,ou=101001,dc=mydomain' is member of group "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain", wouldn't you agree that it should be able to read the entries in dn "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ??

Kind regards,
Jonas.

Follow-Ups:
- Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
  - From: Dieter KlÃnter <dieter@dkluenter.de>

References:
- Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
  - From: Jonas Kellens <jonas.kellens@telenet.be>

Prev by Date: Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
Next by Date: Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
Index(es):
- Chronological
- Thread