[Date Prev][Date Next] [Chronological] [Thread] [Top]

probably simple acl problem

To: openldap-software@OpenLDAP.org
Subject: probably simple acl problem
From: Kuba Leszewski <k.leszewski@ce3.pl>
Date: Mon, 25 Nov 2002 12:13:41 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021119

Hi,

I added some entries to the ldaptree and want to use one of them as a "super-user". I mean I want to add more entries authenticating as this user.

The entry is:

dn: uid=mylogin,ou=People,dc=mydomain,dc=com
uid: mylogin
cn: My Name
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}asdlvkjabsevuib
shadowLastChange: 11927
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/mylogin

And the acls are:
access to dn="(.*,)*,dc=mydomain,dc=com"
        by dn="uid=mylogin,ou=People,dc=ce3,dc=pl" write

access to attr=userPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by users read
        by anonymous none

access to * by * none


The log file shows:

Nov 25 12:09:02 gate slapd[5138]: => access_allowed: auth access to "uid=mylogin,ou=People,dc=mydomain,dc=com" "userPassword" requested Nov 25 12:09:02 gate slapd[5138]: => dnpat: [1] (.*,)*,dc=ce3,dc=pl nsub: 1 Nov 25 12:09:02 gate slapd[5138]: => acl_get: [1] matched Nov 25 12:09:02 gate slapd[5138]: => acl_get: [1] check attr userPassword Nov 25 12:09:02 gate slapd[5138]: <= acl_get: [1] acl uid=mylogin,ou=People,dc=mydomain,dc=com attr: userPassword Nov 25 12:09:02 gate slapd[5138]: => match[0]: 22 35 Nov 25 12:09:02 gate slapd[5138]: , Nov 25 12:09:02 gate slapd[5138]: D Nov 25 12:09:02 gate slapd[5138]: C Nov 25 12:09:02 gate slapd[5138]: = Nov 25 12:09:02 gate slapd[5138]: C Nov 25 12:09:02 gate slapd[5138]: E Nov 25 12:09:02 gate slapd[5138]: 3 Nov 25 12:09:02 gate slapd[5138]: , Nov 25 12:09:02 gate slapd[5138]: D Nov 25 12:09:02 gate slapd[5138]: C Nov 25 12:09:02 gate slapd[5138]: = Nov 25 12:09:02 gate slapd[5138]: P Nov 25 12:09:02 gate slapd[5138]: L Nov 25 12:09:02 gate slapd[5138]: => acl_mask: access to entry "uid=mylogin,ou=People,dc=mydomain,dc=com", attr "userPassword" requested Nov 25 12:09:02 gate slapd[5138]: => acl_mask: to all values by "", (=n) Nov 25 12:09:02 gate slapd[5138]: <= check a_dn_pat: uid=mylogin,ou=People,dc=mydomain,dc=com Nov 25 12:09:02 gate slapd[5138]: <= acl_mask: no more <who> clauses, returning =n (stop) Nov 25 12:09:02 gate slapd[5138]: => access_allowed: auth access denied by =n

What is wrong ? Maybe the ACL is wrong, but for me it seems OK. User authenticated as uid=mylogin should be able to write everywhere below dc=mydomain,dc=com.


Kuba

Follow-Ups:
- Re: probably simple acl problem
  - From: Kuba Leszewski <k.leszewski@ce3.pl>
- Re: probably simple acl problem
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: "TLS certificate verification: Error, self signed certificate"
Next by Date: Re: New 2.1.8 SRPM/RPM packages
Index(es):
- Chronological
- Thread