[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with uniqueMembers and group ACL

I have migrated my existing 2.0.23 database over, and am currently not able to utilize groups for authentication. As an example, I have an ACL of:

access to attrs=universityID
by self read
by group/groupofuniquenames/uniquemember="cn=Administrators,dc=georgefox,dc=edu" write
by * none

My account is setup as a uniqueMember of cn=Administrators,dc=georgefox,dc=edu:

# ldapsearch -H ldap://testhost.georgefox.edu -b "dc=georgefox,dc=edu" cn=administrators
SASL/GSSAPI authentication started
SASL installing layers
# extended LDIF
# LDAPv3
# filter: cn=administrators
# requesting: ALL

# Administrators, georgefox.edu
dn: cn=Administrators,dc=georgefox,dc=edu
cn: Administrators
cn: sysadmin
owner: uid=abrock
uniqueMember: uid=abrock,dc=georgefox,dc=edu
objectClass: top
objectClass: groupOfUniqueNames

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1

but cannot see the universityID attribute. I am seeing the following when I debug at level 128:

bdb_open: Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001)
Global ACL: access to attrs=universityID
by self read(=rscx)
by group=cn=Administrators,dc=georgefox,dc=edu objectClass: attributeType: uniqueMember write(=wrscx)
by * none(=n)

bdb_db_init: Initializing BDB database
=> access_allowed: read access to "uid=ecgleaso,dc=georgefox,dc=edu" "universityID" requested
=> acl_get: [1] check attr universityID
=> acl_get: [2] check attr universityID
<= acl_get: [2] acl uid=ecgleaso,dc=georgefox,dc=edu attr: universityID
=> acl_mask: access to entry "uid=ecgleaso,dc=georgefox,dc=edu", attr "universityID" requested
=> acl_mask: to all values by "uid=ABROCK,dc=GEORGEFOX,dc=EDU", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: *
<= acl_mask: [3] applying none(=n) (stop)
<= acl_mask: [3] mask: none(=n)
=> access_allowed: read access denied by none(=n)
acl: access to attribute universityID not allowed

Thanks again for any help!


* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *