[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap Aci Problem
> Hello!
> I am a new user to openldap and I am using it on the Debian and
> openldap-2.2.13, and I have compiled it by using the following
> sequence:
>
> #./configure --disable-bdb --enable-ldbm --with-ldbm-api=gdbm
> --enable-crypt --enable-aci=yes
> --prefix=/home/bhavesh/tmp/deleteme/
> #make depend
>
> #make
>
> #make install
>
> then I have made changes in the slapd.conf like database ldbm
> and my slapd.conf is like that
>
> loglevel 2
> include /usr/local/ldap/etc/openldap/schema/core.schema
> include /usr/local/ldap/etc/openldap/schema/cosine.schema
> include /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
> include /usr/local/ldap/etc/openldap/schema/nis.schema
>
> pidfile /tmp/try//var/run/slapd.pid
> argsfile /tmp/try//var/run/slapd.args
>
> database ldbm
> suffix "dc=lan,dc=deeproot,dc=co,dc=in"
> #rootdn "cn=admin,dc=lan,dc=deeproot,dc=co,dc=in"
> #rootpw admin
> rootdn "uid=easypush,ou=people,dc=lan,dc=deeproot,dc=co,dc=in"
> rootpw easypush
> #directory /usr/local/ldap/var/openldap-ldbm
> directory /home/bhavesh/tmp/try/var/openldap-data
>
> index objectClass eq
>
>
> access to *
> by aci write
> by * none
>
> I have followed the sequences from the following referance
> http://www.openldap.org/faq/data/cache/634.html
>
> In that referance I can't understand the second step. For Aci which
> access.conf I have to change ? I can't able to find access.conf in my
> system, So I have writen "access to * by aci write " in the slapd.conf.
> If you are knowing about access.conf then please tell me in which
> access.conf I have to write?
there is no access.conf, but someone has the habit of putting ACLs in a
separate file (e.g. access.conf) and include it in slapd.conf, because
ACLs, in some cases, may become pretty long, and limit the readability of
slapd.conf; it's a matter of one's taste and style.
>
> my all ldif that I have addded to my server are :
>
> dn: dc=lan,dc=deeproot,dc=co,dc=in
> o: deeproot
> dc: lan
> objectClass: top
> objectClass: organization
> objectClass: dcObject
>
> dn: ou=addressBook,dc=lan,dc=deeproot,dc=co,dc=in
> ou: addressBook
> objectClass: top
> objectClass: organizationalUnit
>
> dn: ou=People,dc=lan,dc=deeproot,dc=co,dc=in
> ou: People
> objectClass: top
> objectClass: organizationalUnit
>
> dn: ou=addressBook1,dc=lan,dc=deeproot,dc=co,dc=in
> ou: addressBook1
> objectClass: top
> objectClass: organizationalUnit
>
> dn: uid=bhavesh,dc=lan,dc=deeproot,dc=co,dc=in
> uid: bhavesh
> objectClass: organizationalUnit
> objectClass: uidObject
> ou: Deeproot
>
> dn: uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
> uid: bhavesh1
> userPassword:: e0NSWVBUfXJmV2dxbk8vcklKZlU=
> objectClass: top
> objectClass: account
> objectClass: simpleSecurityObject
>
> dn: uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in
> uid: bhavesh2
> userPassword:: e0NSWVBUfURGSTVpd00vaDl2RU0=
> objectClass: top
> objectClass: account
> objectClass: simpleSecurityObject
>
> dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in
> uid: bhavesh3
> userPassword:: e0NSWVBUfVY5ZUo2TzRGV0I2akE=
> objectClass: top
> objectClass: account
> objectClass: simpleSecurityObject
> OpenLDAPaci:
> 1#entry#grant;r,w,s,c;[all]#access-id#uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
>
>
> All these entries are successfully added, but what I want is that
> entry of the dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in will
> only access by the dn: uid=bhavesh1,dc=lan,dc=deeproot,dc=co,dc=in
> ,so I have added the aci in the last entry.
>
> But when I do
>
> #ldapsearch -b "dc=lan,dc=deeproot,dc=co,dc=in" -D
> "uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in" -W
>
>
> # extended LDIF
> #
> # LDAPv3
> # base <uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # bhavesh3, lan.deeproot.co.in
> dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in
> uid: bhavesh3
> userPassword:: e0NSWVBUfVY5ZUo2TzRGV0I2akE=
> objectClass: top
> objectClass: account
> objectClass: simpleSecurityObject
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Then the entry of dn: uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in is
> readable to user bhavesh2, this should not be happen.
>
> Please help me if you find any step missing or wrong in the given
> sequence.
First of all, if your only ACL is
access to *
by aci write
(the "by * none" is redundant, you can omit it) and the only entry with an
OpenLDAPaci is the "uid=bhavesh3,dc=lan,dc=deeproot,dc=co,dc=in", then you
shouldn't even be able to bind as
"uid=bhavesh2,dc=lan,dc=deeproot,dc=co,dc=in", so there might be another
rule that catches all and thus the "by aci" clause is never tested. I
suggest you try with 128 OR-ed to your usual log level, and see what
happens during ACL evaluation. Also, note that 2.2.13 is a bit outdated,
and recently (2.2.15) a bug in ACL caching of ACIs was fixed, so an
upgrade is suggested. If you're interested in using ACIs, I suggest you
keep an eye on HEAD code as well, because some improvements are under
development; there was a discussion about this in -devel recently (which
means discussing ideas, no code is in place yet and no schedule can be
envisaged); see
http://www.openldap.org/lists/openldap-devel/200411/msg00092.html .
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497