[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL confusion

To: Nicholas Riley <nicholas@invantage.com>
Subject: Re: ACL confusion
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 24 Jun 1999 16:44:47 -0700
Cc: openldap-software@OpenLDAP.org
Organization: OpenLDAP <http://www.openldap.org/>
References: <3.0.5.32.19990624114332.00a0a7a0@localhost> <v04205502b3982f8c653d@[209.21.216.105]>

Nicholas Riley wrote:
> 
> At 11:43 AM -0700 6/24/99, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> 
> Thanks very much for the help.
> 
> >That's not a valid DN (per RFC1779) and will likely cause problems.
> >Namely, the "," in o='Invantage, Inc.' must be quoted using an
> >approved mechanism.  "'" character is NOT a quote character.
> 
> I tried quoting by following the example at the end of chapter 5 of
> the SLAPD and SLURPD Administrators Guide: "o=\"Invantage,
> Inc.\",c=US".

I strongly recommend use of ldapadd to import entries into directories.
ldif2ldbm is meant for database recovery and assumes error free input.
ldapadd is slow but safe.

> This did not work - it yielded error messages
> everywhere. Using single quotes looked distinctly bad to me, but it
> had worked everywhere so far. I see from RFC 1779 that "o=Invantage\,
> Inc.,c=US" should be permitted. I'll try that later.

Quoting in DNs (including the "\" character) should be avoid.  They'll
cause you nothing but headaches.
 
> I rebuilt the database with o=Invantage, to make sure that the comma
> in the DN does not contribute to the problem, and tried again. The
> same problem still occurs, as best I can tell. Here is the LDIF file
> I imported to begin with:
> 
> >dn: o=Invantage,c=US
> >objectclass: organization

You're missing a required attribute (o) of organization.  Shouldn't
affect ACLs.  I'll assume your suffix is "o=Invantage,c=US".

> >dn: ou=Staff,o=Invantage,c=US
> >objectclass: organizationalUnit

You're missing a required attribute (ou) of organizationalUnit.  Shouldn't
affect ACLs.

> >dn: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
> >cn: Nicholas Riley
> >sn: Riley
> >uid: nicholas
> >ou: Staff
> >mail: nicholas@invantage.com
> >objectclass: person
> >userpassword: {crypt}<stuff>
> >
> >dn: uid=root,ou=Staff,o=Invantage,c=US
> >uid: root
> >ou: Staff
> >description: System Administrator account
> >seeAlso: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
> >objectclass: account
> >
> >dn: Netscape Server Admin,o=Invantage,c=US

Bogus DN, probably should be: cn=Netscape Server Admin,o=Invantage,c=US ?

> and portions of slapd.conf again:
> >rootdn          "uid=root,ou=Staff,o=Invantage,c=US"


> >defaultaccess   read
> >access to       attr=userpassword
> > by self        write
> > by dn="uid=root,ou=Staff,o=Invantage,c=US" write
> > by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
> > by *           compare
> >access to       *
> > by dn="uid=root,ou=Staff,o=Invantage,c=US" write
> > by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
> > by *           read

These ACLs won't match your bogus DN above... as your results indicate.

Follow-Ups:
- Re: ACL confusion
  - From: Nicholas Riley <nicholas@invantage.com>

References:
- Re: ACL confusion
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ACL confusion
  - From: Nicholas Riley <nicholas@invantage.com>

Prev by Date: RE: Problem in the search with OpenLDAP
Next by Date: Re: ACL confusion
Index(es):
- Chronological
- Thread