[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL confusion
Hi Nicholas,
Try this
access to dn=".*, o=Invantage, c=US" attr=userPassword
by self write -> User can change his own passwd
by dn="cn=Netscape Admin,..." write
by * none
access to dn=".*, o=Invantage, c=US"
by self write
by dn="cn=Netscaoe Admin,..." write
by dn=".*, o=Invantage, c=US" read
by * none
Regards
--- Nicholas Riley <nicholas@invantage.com> wrote:
> Hi,
>
> I've been trying to set up ACLs with OpenLDAP's
> slapd.conf. I've
> looked at the mailing list archives, and tried
> everything I could
> find suggested there, done several hours worth of
> trial and error,
> and really had a great lack of success.
>
> What I want to do is make one user, Netscape Server
> Admin, able to
> perform full additions and updates on any record,
> and make all
> attributes but passwords accessible to the public.
>
> Here are portions of my slapd.conf:
>
> >rootdn "uid=root,ou=Staff,o='Invantage,
> Inc.',c=US"
> >rootpw {crypt}<stuff here...>
> >
> >defaultaccess read
> >
> >access to attr=userpassword
> > by self write
> > by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US"
> write
> > by dn="cn=Netscape Server Admin,o='Invantage,
> Inc.',c=US" write
> > by * compare
> >
> >access to *
> > by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US"
> write
> > by dn="cn=Netscape Server ,o='Invantage,
> Inc.',c=US" write
> > by * read
>
> I can do a LDAP query and the userpassword attribute
> doesn't show up.
> This part is good, then again I copied it almost
> directly from the
> sample :-). But if I attempt to add a user when
> logged in as Netscape
> Server Admin through the Netscape server interface
> (with "Bind DN"
> set to the rootdn if it matters), I get "You do not
> have sufficient
> privileges to perform the operation." This is what
> slapd displays
> when I try to add the user:
>
> >{nicholas#pts/1@hannibal:180} 1:35pm ~>sudo
> /usr/local/libexec/slapd -d 128
> >ACL: access to
> > attrs=userpassword
> > by dn=self
> > by dn=UID=ROOT,OU=STAFF,O='INVANTAGE,
> INC.',C=US
> > by dn=CN=NETSCAPE SERVER
> ADMIN,O='INVANTAGE, INC.',C=US
> > by dn=.*
> >
> >ACL: access to dn=.*
> > by dn=UID=ROOT,OU=STAFF,O='INVANTAGE,
> INC.',C=US
> > by dn=CN=NETSCAPE SERVER
> ADMIN,O='INVANTAGE, INC.',C=US
> > by dn=.*
> >
> >slapd starting
> >
> >=> access_allowed: entry (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (uid)
> >
> >=> acl_get: entry (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (uid)
> ><= acl_get: no acl applicable to database root
> >
> >=> acl_access_allowed: search access to entry
> "cn=Netscape Server
> >Admin,o='Invantage, Inc.',c=US"
> >
> >=> acl_access_allowed: search access to value
> "ADMIN" by
> >"UID=ROOT,OU=STAFF,O='INVANTAGE,INC.',C=US"
> ><= acl_access_allowed: granted to database root
> >
> >=> access_allowed: exit (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (uid)
> >
> >=> access_allowed: entry (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (entry)
> >
> >=> acl_get: entry (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (entry)
> ><= acl_get: no acl applicable to database root
> >
> >=> acl_access_allowed: read access to entry
> "cn=Netscape Server
> >Admin,o='Invantage, Inc.',c=US"
> >
> >=> acl_access_allowed: read access to value "any"
> by
> >"UID=ROOT,OU=STAFF,O='INVANTAGE,INC.',C=US"
> ><= acl_access_allowed: granted to database root
> >
> >=> access_allowed: exit (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (entry)
> >
> >=> acl_get: entry (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (objectclass)
> ><= acl_get: no acl applicable to database root
> >
> >=> acl_access_allowed: read access to entry
> "cn=Netscape Server
> >Admin,o='Invantage, Inc.',c=US"
> >
> >=> acl_access_allowed: read access to value "any"
> by
> >"UID=ROOT,OU=STAFF,O='INVANTAGE,INC.',C=US"
> ><= acl_access_allowed: granted to database root
> >
> >=> access_allowed: entry (o='Invantage, Inc.',c=US)
> attr (children)
> >
> >=> acl_get: entry (o='Invantage, Inc.',c=US) attr
> (children)
> ><= acl_get: [2] backend acl o='Invantage,
> Inc.',c=US attr: children
> >
> >=> acl_access_allowed: write access to entry
> "o='Invantage, Inc.',c=US"
> >
> >=> acl_access_allowed: write access to value "any"
> by "CN=NETSCAPE
> >SERVER ADMIN,O='INVANTAGE,INC.',C=US"
> ><= acl_access_allowed: matched by clause #3 access
> denied
> >
> >=> access_allowed: exit (o='Invantage, Inc.',c=US)
> attr (children)
>
> There are two parts of this I don't understand. The
> first one is:
>
> >=> acl_get: entry (cn=Netscape Server
> Admin,o='Invantage,
> >Inc.',c=US) attr (entry)
> ><= acl_get: no acl applicable to database root
>
> Why does it say "no acl applicable to database
> root"? What is the
> database root? Is 'access to *' not general enough?
>
> >=> acl_access_allowed: write access to value "any"
> by "CN=NETSCAPE
> >SERVER ADMIN,O='INVANTAGE,INC.',C=US"
> ><= acl_access_allowed: matched by clause #3 access
> denied
>
> What does 'value "any"' mean? Is a value the same as
> an attribute?
> How can I grant the needed access to this user? It
> seems that
> "cn=Netscape Server Admin,o='Invantage, Inc.',c=US"
>
> If there's anywhere else I can read about this
> access model, please
> just point me in the right direction. Failing that,
> solutions to my
> exact problem would be greatly appreciated.
>
> Thanks,
>
> --
> Nicholas Riley <nicholas@invantage.com>
> Invantage, Inc. / 149 Sidney St. / Cambridge MA
> 02139 / +1 617 577 7844
>
>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com