[Date Prev][Date Next]
Re: 2.0.6 and acl
At 05:45 PM 10/19/00 +0200, Trapp, Michael wrote:
>i still have some problems with acl's and openldap-2.0.6.
>ldapsearch -D 'cn=admin,ou=corp,o=test' -w ...
>produces the folowing debug messages:
>=> access_allowed: auth access to "cn=admin,ou=corp,o=test" "userPassword"
>=> dn:  OU=CORP,O=TEST
>=> acl_get:  matched
>=> acl_get:  check attr userPassword
><= acl_get:  acl cn=admin,ou=corp,o=test attr: userPassword
>=> acl_mask: access to entry "cn=admin,ou=corp,o=test", attr "userPassword"
>=> acl_mask: to all values by "", (=n)
><= check a_dn_pat: cn=admin,ou=corp,o=test
><= check a_dn_pat: self
><= acl_mask: no more <who> clauses, returning =n (stop)
>=> access_allowed: auth access denied by =n
>... looks like acl_mask() checks the right section and the corresponding
>entries inside the section
>access to dn.child="ou=corp,o=test"
> by dn.regex="cn=test,ou=corp,o=test" write
> by self read
>but the regex doesn't match the dn!
>as far as i can see, the op->o_ndn isn't set so it can't match at all.
The bind request is processed as "anonymous" so op->o_ndn. You
must grant "anonymous" "auth" access to "userPassword" to authorize
authentication. See the Admin Guide which demonstrates such an
>is there any failure in the config? (i'm still looking for the corresponding
Yes, you need something like:
access to attrs=userPassword
by self write
by anonymous auth
in your ACLs. Note that placement counts.
>the admin-guide doesn't tell anything about target-style, subject-style or
There is some additional info in the developer's FAQ... an volunteer
is needed to update the Admin Guide with additional ACL info.