[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Rights in SLAPD.CONF

I am having a problem with the "access" parameter in the "slapd.conf"
configuration file.  The examples in the documentation and the FAQ do
not appear to work correctly, so I'm at a loss as to what's going on.

The objective is to grant write access to a privileged DN other than the
root DN of my database, because that privileged DN will be used by a
server application (based on Java servlets, using the JNDI API) to
manage directory server entries.  No access from the outside world
directly to the Directory Server will be allowed.

The following are the relevant portions of my slapd.conf (with some
names changed to protect the innocent :-):

    database ldbm
    directory ...
    lastmod on
    readonly off
    rootdn "cn=rootusername, o=My Company Name, c=US"
    rootpw rootpassword
    suffix "o=My Company Name, c=US"
    defaultaccess read
    access to attr="userpassword"
        by self write
        by * compare
    access to dn=".*,o=My Company Name,c=US"
        by dn="cn=adminuser,o=My Company Name,c=US"

I have set up the admin user with an appropriate password, and am able
to bind successfully.  However, when I try to execute an LDAP "add"
operation (context.createSubcontext() in the JNDI API), for a DN like
"mykey=myusername, o=My Company Name, c=US" I get LDAP error 50
"Insufficient Access Rights".  The debug log messages imply that the
pattern match is failing:

    => access_allowed: entry (o=My Company Name, c=US) attr (children)
    => acl_get: entry (o=My Company Name,c=US)  attr (children)
    => acl_get: edn O=MY COMPANY NAME,C=US
    => acl_get: [1] check attr children
    => dnpat: [2] *.,O=MY COMPANY NAME,C=US nsub: 0
    <= acl_get: no match
    => acl_access_allowed: write access to entry "o=My Company Name,
    => acl_access_allowed: write access to value "any" by ""
    <= acl_access_allowed: denied by default (no matching to)
    => access_allowed: exit (o=My Company Name, c=US) attr=(children)
    no access to parent
    send_ldap_result 50::

I have tweaked on the access list every which way, and only succeeded in
adding an entry (when bound with the adminuser DN) if I set
defaultaccess to write, which is obviously not acceptable.

Anyone have any ideas what I'm doing wrong?  Or some annotated examples
of slapd.conf files more complete than the ones in the UMich

Craig McClanahan