[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL to create a CRUD to OpenLDAP
On 07/07/2010 03:31 PM, MrBiTs wrote:
> Hi, all
>
> I'm writing a little script to allow some people to manage LDAP users, as a CRUD. I created a user
> uid=crud,ou=Applications,dc=domain,dc=org and I need to allow this user to add, modify and delete users that only belongs to
> ou=FTPUsers,dc=domain,dc=org.
>
> I wrote this ACL in slapd.conf:
>
> access to dn.subtree="ou=FTPUsers,dc=domain,dc=org"
> by dn.exact="cn=Admin,dc=domain,dc=org" write
> by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write
> by self write
> by * read
>
> Testing ACL, I had:
>
> [root@svr2021 openldap2.4]# slapacl2.4 -f /etc/openldap2.4/slapd.conf -b "uid=crud,ou=Applications,dc=domain,dc=org" -D
> "uid=ftppinguim,ou=FTPUsers,dc=domain,dc=org" "uid/write:"
> authcDN: "uid=ftppinguim,ou=ftpusers,dc=domain,dc=org"
> write access to uid=: DENIED
>
> So, the ACL is not working. If I ask to uid/read:, I have access allowed.
>
> Later I changed my ACL to dn.children, but the result was the same.
>
> I'm using LDAP 2.4 and I would like to know if somebody already did the same configuration or has tips or docs to read.
>
> Thanks a lot
>
> .0. MrBiTs - mrbits.dcf@gmail.com
> ..0 GnuPG - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB
> 000 http://www.mrbits.com.br
>
>
Couldn't it be because you disallow access preceding this particular ACL?
ACLs are read rule-by-rule thus they're are position dependent in slapd.conf
I also don't use 'exact' but just 'dn'. If that's (some sort of) a
mistake, please, feel free to correct me :)
Regards,
Zdenek
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net