[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL peername

To: Natalia <nata.cs2@gmail.com>
Subject: Re: ACL peername
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Fri, 11 Feb 2011 19:13:51 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <AANLkTim-bX=M1Mk0AhFDWnY6spdw5+U0RmBfSiBSQ03u@mail.gmail.com>
References: <AANLkTim-bX=M1Mk0AhFDWnY6spdw5+U0RmBfSiBSQ03u@mail.gmail.com>
User-agent: Thunderbird 2.0.0.19 (X11/20090107)

Natalia wrote:

Hi,

i have a problem with ACLs. I will to grant access to IP. my ACL:

olcAccess: to dn.subtree="ou=people,dc=example,dc=de"
 by group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de" write
 by group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de" read
 by peername.ip=127.0.0.1 read
 by * none

But i become error:

ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: <olcAccess> handler exited with 1

in logs:

 conn=1034 op=4 MOD attr=olcAccess olcAccess
Feb 11 13:33:07 ldap slapd2.4[21279]: slapd: line 0: expecting <access> got
"writeby".
Feb 11 13:33:07 ldap slapd2.4[21279]: <access clause> ::= access to <what> [
by <who> [ <access> ] [ <control> ] ]+  <what> ::= * | dn[.<dnstyle>=<DN>]
[filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname>
[val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::=
<attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> |
!<objectClass> | entry | children <who> ::= [ * | anonymous | users | self |
dn[.<dnstyle>]=<DN> ]     [ realanonymous | realusers | realself |
realdn[.<dnstyle>]=<DN> ]      [dnattr=<attrname>]
[realdnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]    [ssf=<n>]
[transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex |
base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children
| exact | regex <attrstyle> ::= exact | regex | base(Obj
Feb 11 13:33:07 ldap slapd2.4[21279]: conn=1034 op=4 RESULT tag=103 err=80
text=<olcAccess> handler exited with 1

I have OpenLDAP 2.4.22. If i remove "by peername.ip=127.0.0.1 read" it
works.


Your LDIF is incorrect, and the error is indirectly telling you.

olcAccess: to dn.subtree="ou=people,dc=example,dc=de"
 by group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de" write
 by group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de" read
 by peername.ip=127.0.0.1 read
 by * none

The single blank you leave before each "by" simply means continuation.As such, what slapd sees is actually


arg#1: to
arg#2: dn.subtree="ou=people,dc=example,dc=de"by
arg#3: group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de"
arg#4: writeby
arg#5: group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de"
arg#6: readby
arg#7: peername.ip=127.0.0.1
arg#8: readby
arg#9: *
arg#10: none

See RFC 2849 for more information on LDIF format.

p.

Follow-Ups:
- Re: ACL peername
  - From: Natalia <nata.cs2@gmail.com>

References:
- ACL peername
  - From: Natalia <nata.cs2@gmail.com>

Prev by Date: Re: Slapd Security based on port
Next by Date: Mac OS X OpenLDAP allows anonymous access to all fields
Index(es):
- Chronological
- Thread