[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL in 2.4.22



Thank you all for your suggestions,

Obviously, what Thiery mentioned was the cause of the problem.

After some experiments, I added the following in the beginning of my acl.conf :

   access to dn.sub="dc=example,dc=com" attrs="children,entry"
   by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com" write
   by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com" read
   by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com" read
   by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com" read
   by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com" read
   by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com" read
   by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=com" read
   by * break

After adding the above, all the "example.com" tree became visible again.

Thanks again,
Nick


On 28/12/2010 5:53 μμ, Thierry Lacoste wrote:
Just a guess.
According to http://www.openldap.org/doc/admin24/appendix-upgrading.html:
'Search operations now require "search" privileges on the "entry" pseudo-attribute of the search base.'
Maybe you need to add the search privilege at an upper level in your DIT.

Regards,
Thierry

For example, the following piece of code works as expected in v2.3 but not in v2.4. If some user logs in and is a member of a GroupXAdmins (where X = 1-6), he can't see the branch at all.

# Allow access to entries of the subtree
#
access to dn.sub="dc=12.11.10.in-addr.arpa,ou=dns1,dc=example,dc=com" attrs="children,entry"
by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com" read
by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com" read
by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com" read
by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com" read
by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
by * break

# Allow access to all attributes of the subtree
#
access to dn.sub="dc=12.11.10.in-addr.arpa,ou=dns1,dc=example,dc=com"
by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com" read
by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com" read
by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com" read
by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com" read
by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=com" read

where Groups are of the form:

dn: cn=Group1Admins,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: Group1Admins
member: uid=userx,ou=people,dc=example,dc=com

Please, help.

Nick