[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for adding subtree

To: "OpenLDAP-software@OpenLDAP.org" <OpenLDAP-software@OpenLDAP.org>
Subject: ACL for adding subtree
From: ramana.ramachandran@wcom.com
Date: Fri, 06 Aug 1999 14:50:58 -0500
Organization: MCI

hi
After many tries, I am still unable to add entries beneath the bind
entry. Here is the acl and the ldif. While I understand the ACL stuff,
implementing an access scheme has been a hair tearing experience.

I am able to bind to  "uid=ramana,ou=CS,o=IISc,c=IN" but when I try to
add an address object underneath it I get

$ ldapadd -W -D"uid=ramana, ou=CS, o=IISc, c=IN" -f address.ldif
Enter LDAP Password: 
adding new entry cn=Address, uid=ramana, ou=CS, o=IISc, c=IN
ldap_add: Insufficient access

*** Error code 50
$


Please help
thanks
ramana



ACL
===
# subtree write (if DN fits within naming)
# other dn's, read
# default none
access to
dn="^.+,([:alnum:]+=[:alnum:]+,[:alnum:]+=[:alnum:]+,o=IISc,c=IN)$"
    by dn="$1" write
    by dn=".*,o=IISc,c=IN" read
    by * none

LDIF
====

dn: cn=Address, uid=ramana, ou=CS, o=IISc, c=IN
changeType: add
postalAddress: myaddress
city: city
state: XX
c: US
postalCode: 11111
homePhone: 800-555-1212


slapd.log
=========
do_add
    do_add: ndn (CN=RAMANA'S ADDRESS,UID=RAMANA,OU=CS,O=IISC,C=IN)
==> ldbm_back_add: cn=Ramana's Address, uid=ramana, ou=CS, o=IISc, c=IN
=> dn2id( "CN=RAMANA'S ADDRESS,UID=RAMANA,OU=CS,O=IISC,C=IN" )
=> ldbm_cache_open( "/home/ramana/AddressBook/data/dn2id.dbb", 7, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id NOID
dn2entry_w: dn: "UID=RAMANA,OU=CS,O=IISC,C=IN"
=> dn2id( "UID=RAMANA,OU=CS,O=IISC,C=IN" )
====> cache_find_entry_dn2id: found dn: UID=RAMANA,OU=CS,O=IISC,C=IN
<= dn2id 8 (in cache)
=> id2entry_w( 8 )
====> cache_find_entry_dn2id: found id: 8 rw: 1
entry_rdwr_wtrylock: ID: 8
listening for connections on 3, activity on: 5r
before select active_threads 1
<= id2entry_w 0xf1740 (cache)

=> access_allowed: entry (uid=ramana, ou=CS, o=IISc, c=IN) attr
(children)

=> acl_get: entry (uid=ramana, ou=CS, o=IISc, c=IN) attr (children)
=> acl_get: edn UID=RAMANA,OU=CS,O=IISC,C=IN
=> dnpat: [1] .*,O=IISC,C=IN nsub: 0
=> acl_get: [1] global ACL match
=> acl_get: [1] check attr
=> dnpat: [2] .*,O=IISC,C=IN nsub: 0
=> acl_get: [2] global ACL match
=> acl_get: [2] check attr
=> dnpat: [3]
^.+,([:ALNUM:]+=[:ALNUM:]+,[:ALNUM:]+=[:ALNUM:]+,O=IISC,C=IN)$ nsub: 1
=> dnpat: [4] ^[:ALNUM:]+=[:ALNUM:]+,[:ALNUM:]+=[:ALNUM:]+,O=IISC,C=IN$
nsub: 0
=> dnpat: [5] .*,O=IISC,C=IN nsub: 0
=> acl_get: [5] global ACL match
=> acl_get: [5] check attr
<= acl_get: [5] global acl uid=ramana, ou=CS, o=IISc, c=IN attr:
children

=> acl_access_allowed: write access to entry "uid=ramana, ou=CS, o=IISc,
c=IN"

=> acl_access_allowed: write access to value "any" by
"UID=RAMANA,OU=CS,O=IISC,C=IN"
<= check a_dnpat: CN=ROOT,O=IISC,C=IN
=> string_expand: pattern:  CN=ROOT,O=IISC,C=IN
=> string_expand: expanded: CN=ROOT,O=IISC,C=IN
=> regex_matches: string:   UID=RAMANA,OU=CS,O=IISC,C=IN
=> regex_matches: rc: 1 no matches
<= check a_dnpat: .*,O=IISC,C=IN
=> string_expand: pattern:  .*,O=IISC,C=IN
=> string_expand: expanded: .*,O=IISC,C=IN
=> regex_matches: string:   UID=RAMANA,OU=CS,O=IISC,C=IN
=> regex_matches: rc: 0 matches
<= acl_access_allowed: matched by clause #2 access denied

=> access_allowed: exit (uid=ramana, ou=CS, o=IISc, c=IN) attr
(children)
no access to parent
send_ldap_result 50::
ber_flush: 14 bytes to sd 5
         0 0c 02 01 02  i 07 0a 01  2 04 00 04 00 
select activity on 1 descriptors
activity on: 5r
read activity on 5
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf 0xac968, ptr 0xac968, end 0xac96d
          current len 5, contents:
        02 01 03  B 00

Follow-Ups:
- Re: ACL for adding subtree
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Database limitations
Next by Date: Quick Start Guide
Index(es):
- Chronological
- Thread