[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Help - detailed information follows
- To: OpenLDAP-software@OpenLDAP.org
- Subject: ACL Help - detailed information follows
- From: Terry <td3201@gmail.com>
- Date: Thu, 16 Feb 2006 16:05:57 -0600
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=G80lmDvs0wFVkrAgFhsMjCEgOENm7n2AI0ZixwB/Gs7sO7Cq8+6fuQnkDTeH1EbthWGM+UkYz4pmrsfG8r7GZbL2OtBap3yyXen1oZQdBfqCO368IakNrgiWx+IooGEQAptnyXdCc7b8WC9PNmizATpsvsRByyak5QyjVK9bOEk=
I am trying to write to an entry. Here is my log:
Feb 16 15:57:18 localhost slapd[26992]: => dnpat: [5]
^ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$ nsub: 2
Feb 16 15:57:18 localhost slapd[26992]: => dnpat: [6]
^uid=([^,]+),ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$
nsub: 3
Feb 16 15:57:18 localhost slapd[26992]: => acl_get: [6] matched
Feb 16 15:57:18 localhost slapd[26992]: => acl_get: [7] attr telephoneNumber
Feb 16 15:57:18 localhost slapd[26992]: access_allowed: no res from
state (telephoneNumber)
Feb 16 15:57:18 localhost slapd[26992]: => acl_mask: access to entry
"uid=39,ou=addr,uid=joe,ou=Users,ou=OxObjects,dc=domain,dc=net", attr
"telephoneNumber" requested
Feb 16 15:57:18 localhost slapd[26992]: => acl_mask: to all values by
"uid=joe,ou=users,ou=oxobjects,dc=domain,dc=net", (=n)
Feb 16 15:57:18 localhost slapd[26992]: <= check a_dn_pat: self
Feb 16 15:57:18 localhost slapd[26992]: <= check a_dn_pat: users
Feb 16 15:57:18 localhost slapd[26992]: <= acl_mask: [2] applying
read(=rscx) (stop)
Feb 16 15:57:18 localhost slapd[26992]: <= acl_mask: [2] mask: read(=rscx)
Feb 16 15:57:18 localhost slapd[26992]: => access_allowed: write
access denied by read(=rscx)
Here is my acl config:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
# protect the userPassword attribute
access to attr=userPassword
by self =w
by anonymous auth
# global address book
access to dn.subtree="o=AddressBook,ou=OxObjects,dc=domain,dc=net"
by group.exact="cn=AddressAdmins,o=AddressBook,ou=OxObjects,dc=domain,dc=net"
write
by users read
# personal address book
access to dn.regex="^ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$"
attrs=children
by dn.exact,expand="$1" write
access to dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$"
attrs=entry
by dn.exact,expand="$2" write
# default rule allowing users full access to their own entries
access to *
by self write
by users read
I authenticate with the full dn
(uid=joe,ou=Users,ou=OxObjects,dc=domain,dc=net).
Thanks for any help!