[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with ACL's for Users/Groups

To: "Chris G. Sellers" <chris.sellers@nitle.org>
Subject: Re: Help with ACL's for Users/Groups
From: david stackis <david.stackis@isc.ucsb.edu>
Date: Thu, 31 Jul 2008 09:05:16 -0700
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <8BA4C9BD-ED2A-4FF9-8A82-2E3D7DD515CD@nitle.org>

Here is how my client is binding...

Base DN
o=Home,ou=AddressBooks,dc=Mycompany,dc=com

Bind DN
cn=Me,ou=Users,dc=MyCompany,dc=com

I am a member of the Home group
dn: o=Home,ou=Groups,dc=MyCompany,dc=com
objectclass: top
objectclass: groupOfNames
cn: Home
member: cn=Me,ou=Users,dc=MyCompany,dc=com

I wanted to send this out, to show you how I was binding witht the client...
I'll turn on the logging for ACL parsing like you suggested.


--On Thursday, July 31, 2008 9:11 AM -0400 "Chris G. Sellers"
<chris.sellers@nitle.org> wrote:

> I think your ACLs are not allowing you to do what you want, but I  can't
> say for sure without knowing how your client is binding to your
> directory.
> 
> If you turn on openldap's logging for ACL parsing, you should see the
> connection and if it was allowed or denied for the given bind.
> 
> (                     128    (0x80 ACL) access control list  processing
> : see man slapd.conf for details under loglevel )
> 
> Give that a try, and then you should be able to relax or adjust your
> ACLs to allow access.
> 
> I hope that helps
> Sellers
> 
> On Jul 30, 2008, at 10:42 PM, david stackis wrote:
> 
>> Hi -
>> 
>> First off, I want to apologize for posting to list when I really  
>> should
>> have read more.
>> Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin
>> Guide....and I'm still scratching my head wondering why this isn't  
>> working.
>> 
>> Here's my structure...
>> I have two Groups..."Home", and "Work"
>> I have two Users..."Me", and "You" These users have passwords
>> 
>> I can search my LDAP using the rootdn, and I'm able to add to each  
>> of the
>> Group AddressBooks "Home", and "Group" using the rootdn. What I  
>> can't seem
>> to do, is have user "Me" or "You" access any of the AddressBooks.
>> 
>> The user "Me" has access to "Home and "You" has access to "Work"  
>> each have
>> two different email addresses.
>> 
>> Again...the rootdn can see everything in Thunderbird...but it's "Me"  
>> and
>> "You" that seem to have no access/
>> Could someone please point me in the right direction.
>> 
>> I'm also using Apache Directory Studio, and I verified that the four
>> entries I added...two being place in the "Home" AddressBook, and the  
>> other
>> two in the "Work" AddressBook. The ACL's I'm using are below...and  
>> further
>> down is my LDIF I used to create my structure.
>> 
>> I've tried attrs=userPassword, and attr=userPassword...I've seen  
>> both of
>> these examples used
>> 
>> Thank you for any help.
>> 
>> # ACL1
>> access to attrs=userPassword
>>        by self write
>>        by anonymous auth
>> # ACL2
>> access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com"
>>        by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write
>> # ACL3
>> access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read
>> access to dn.base="" by * read
>> # ACL4
>> access to dn.base="cn=Subschema" by * read
>> # ACL5
>> disallow bind_anon
>> 
>> The LDIF I used...
>> # Initialize the suffix entry defined in slapd.conf
>> # 
>> dn: dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: organization
>> objectclass: dcObject
>> dc: MyCompany
>> o: cctr
>> 
>> # 
>> # Initialize the AddressBooks heirarchy
>> # 
>> dn: ou=AddressBooks,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: organizationalUnit
>> ou: AddressBooks
>> 
>> # 
>> # Define individual address books
>> # 
>> dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: organization
>> o: Home
>> 
>> dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: organization
>> o: Work
>> 
>> # 
>> # Initialize the Users heirarchy
>> # 
>> dn: ou=Users,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: organizationalUnit
>> ou: Users
>> 
>> # 
>> # Define individual users
>> # 
>> dn: cn=Me,ou=Users,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: person
>> cn: Me
>> sn: My LastName
>> userPassword: {crypt}XXXXXX
>> 
>> dn: cn=You,ou=Users,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: person
>> cn: You
>> sn: You LastName
>> userPassword: {crypt}XXXXXX
>> 
>> # 
>> # Initialize the Groups heirarchy
>> # 
>> dn: ou=Groups,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: organizationalUnit
>> ou: Groups
>> 
>> # 
>> # Group users into separate address books
>> # 
>> dn: o=Home,ou=Groups,dc=MyCompany,dc=com
>> objectclass: top
>> objectclass: groupOfNames
>> cn: Home
>> member: cn=Me,ou=Users,dc=MyCompany,dc=com
>> 
>> dn: o=Work,ou=Groups,dc=ucsb,dc=edu
>> objectclass: top
>> objectclass: groupOfNames
>> cn: Work
>> member: cn=You,ou=Users,dc=MyCompany,dc=com
>> 
>> 
>> -------------------
>> david stackis
>> 
> 
> ++++++++++++++++++++++++++++++++++++++
> Chris G. Sellers	|  Internet Engineer      |   NITLE
> 734.661.2318	|  chris.sellers@nitle.org
> Jabber: csellers@nitle.org  | AIM: imthewherd
> 



-------------------
david stackis
uc santa barbara
phone: 805-893-8286
http://isc.ucsb.edu

References:
- Re: Help with ACL's for Users/Groups
  - From: "Chris G. Sellers" <chris.sellers@nitle.org>

Prev by Date: FW: slapd does not start, where do I find the error?
Next by Date: back-sql using varchar keyvals and ids
Index(es):
- Chronological
- Thread