[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL confusion



Hi,

I've been trying to set up ACLs with OpenLDAP's slapd.conf. I've looked at the mailing list archives, and tried everything I could find suggested there, done several hours worth of trial and error, and really had a great lack of success.

What I want to do is make one user, Netscape Server Admin, able to perform full additions and updates on any record, and make all attributes but passwords accessible to the public.

Here are portions of my slapd.conf:

rootdn          "uid=root,ou=Staff,o='Invantage, Inc.',c=US"
rootpw          {crypt}<stuff here...>

defaultaccess   read

access to       attr=userpassword
by self        write
by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US" write
by dn="cn=Netscape Server Admin,o='Invantage, Inc.',c=US" write
by *           compare

access to       *
by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US" write
by dn="cn=Netscape Server ,o='Invantage, Inc.',c=US" write
by *           read

I can do a LDAP query and the userpassword attribute doesn't show up. This part is good, then again I copied it almost directly from the sample :-). But if I attempt to add a user when logged in as Netscape Server Admin through the Netscape server interface (with "Bind DN" set to the rootdn if it matters), I get "You do not have sufficient privileges to perform the operation." This is what slapd displays when I try to add the user:


{nicholas#pts/1@hannibal:180} 1:35pm ~>sudo /usr/local/libexec/slapd -d 128
ACL: access to
attrs=userpassword
       by dn=self
       by dn=UID=ROOT,OU=STAFF,O='INVANTAGE, INC.',C=US
       by dn=CN=NETSCAPE SERVER ADMIN,O='INVANTAGE, INC.',C=US
       by dn=.*

ACL: access to dn=.*
       by dn=UID=ROOT,OU=STAFF,O='INVANTAGE, INC.',C=US
       by dn=CN=NETSCAPE SERVER ADMIN,O='INVANTAGE, INC.',C=US
       by dn=.*

slapd starting

=> access_allowed: entry (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (uid)

=> acl_get: entry (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (uid)
<= acl_get: no acl applicable to database root


=> acl_access_allowed: search access to entry "cn=Netscape Server Admin,o='Invantage, Inc.',c=US"

=> acl_access_allowed: search access to value "ADMIN" by "UID=ROOT,OU=STAFF,O='INVANTAGE,INC.',C=US"
<= acl_access_allowed: granted to database root


=> access_allowed: exit (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (uid)

=> access_allowed: entry (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (entry)

=> acl_get: entry (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (entry)
<= acl_get: no acl applicable to database root


=> acl_access_allowed: read access to entry "cn=Netscape Server Admin,o='Invantage, Inc.',c=US"

=> acl_access_allowed: read access to value "any" by "UID=ROOT,OU=STAFF,O='INVANTAGE,INC.',C=US"
<= acl_access_allowed: granted to database root


=> access_allowed: exit (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (entry)

=> acl_get: entry (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (objectclass)
<= acl_get: no acl applicable to database root


=> acl_access_allowed: read access to entry "cn=Netscape Server Admin,o='Invantage, Inc.',c=US"

=> acl_access_allowed: read access to value "any" by "UID=ROOT,OU=STAFF,O='INVANTAGE,INC.',C=US"
<= acl_access_allowed: granted to database root


=> access_allowed: entry (o='Invantage, Inc.',c=US) attr (children)

=> acl_get: entry (o='Invantage, Inc.',c=US) attr (children)
<= acl_get: [2] backend acl o='Invantage, Inc.',c=US attr: children

=> acl_access_allowed: write access to entry "o='Invantage, Inc.',c=US"

=> acl_access_allowed: write access to value "any" by "CN=NETSCAPE SERVER ADMIN,O='INVANTAGE,INC.',C=US"
<= acl_access_allowed: matched by clause #3 access denied


=> access_allowed: exit (o='Invantage, Inc.',c=US) attr (children)

There are two parts of this I don't understand. The first one is:

=> acl_get: entry (cn=Netscape Server Admin,o='Invantage, Inc.',c=US) attr (entry)
<= acl_get: no acl applicable to database root

Why does it say "no acl applicable to database root"? What is the database root? Is 'access to *' not general enough?


=> acl_access_allowed: write access to value "any" by "CN=NETSCAPE SERVER ADMIN,O='INVANTAGE,INC.',C=US"
<= acl_access_allowed: matched by clause #3 access denied

What does 'value "any"' mean? Is a value the same as an attribute? How can I grant the needed access to this user? It seems that "cn=Netscape Server Admin,o='Invantage, Inc.',c=US"


If there's anywhere else I can read about this access model, please just point me in the right direction. Failing that, solutions to my exact problem would be greatly appreciated.

Thanks,

--
Nicholas Riley <nicholas@invantage.com>
Invantage, Inc. / 149 Sidney St. / Cambridge MA 02139 / +1 617 577 7844