[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with uniqueMembers and group ACL

To: Open LDAP Devel <openldap-devel@OpenLDAP.org>
Subject: Problems with uniqueMembers and group ACL
From: Anthony Brock <abrock@georgefox.edu>
Date: Wed, 20 Mar 2002 17:50:30 -0800

I have migrated my existing 2.0.23 database over, and am currently not able to utilize groups for authentication. As an example, I have an ACL of:

******************** access to attrs=universityID by self read by group/groupofuniquenames/uniquemember="cn=Administrators,dc=georgefox,dc=edu" write by * none ********************


My account is setup as a uniqueMember of cn=Administrators,dc=georgefox,dc=edu:

******************** # ldapsearch -H ldap://testhost.georgefox.edu -b "dc=georgefox,dc=edu" cn=administrators SASL/GSSAPI authentication started SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # filter: cn=administrators # requesting: ALL #

# Administrators, georgefox.edu
dn: cn=Administrators,dc=georgefox,dc=edu
cn: Administrators
cn: sysadmin
owner: uid=abrock
uniqueMember: uid=abrock,dc=georgefox,dc=edu
objectClass: top
objectClass: groupOfUniqueNames

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1
#
********************

but cannot see the universityID attribute. I am seeing the following when I debug at level 128:

******************** bdb_open: Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001) Global ACL: access to attrs=universityID by self read(=rscx) by group=cn=Administrators,dc=georgefox,dc=edu objectClass: 2.5.6.17 attributeType: uniqueMember write(=wrscx) by * none(=n)

bdb_db_init: Initializing BDB database ... => access_allowed: read access to "uid=ecgleaso,dc=georgefox,dc=edu" "universityID" requested => acl_get: [1] check attr universityID => acl_get: [2] check attr universityID <= acl_get: [2] acl uid=ecgleaso,dc=georgefox,dc=edu attr: universityID => acl_mask: access to entry "uid=ecgleaso,dc=georgefox,dc=edu", attr "universityID" requested => acl_mask: to all values by "uid=ABROCK,dc=GEORGEFOX,dc=EDU", (=n) <= check a_dn_pat: self <= check a_dn_pat: * <= acl_mask: [3] applying none(=n) (stop) <= acl_mask: [3] mask: none(=n) => access_allowed: read access denied by none(=n) acl: access to attribute universityID not allowed ********************

Thanks again for any help!

Tony

******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************

Prev by Date: Problems with SSL
Next by Date: Re: [dev_ldap] RE: back-perl and password/user synchronization
Index(es):
- Chronological
- Thread