[Date Prev][Date Next] [Chronological] [Thread] [Top]

Specifying write access for more then one user?

To: openldap-software@OpenLDAP.org
Subject: Specifying write access for more then one user?
From: Markus Fischer <mfischer@guru.josefine.at>
Date: Thu, 7 Feb 2002 23:49:35 +0100
Content-disposition: inline
User-agent: Mutt/1.3.24i

    Hello,

    I'm fighting the 'access' directive in slapd.conf currently.
    With the docs in my hands I seem to be unable to specify
    rules to not only allow only one person write access but a
    whole set of.

    The setup right now is

    cn=admin1,ou=administrators,o=company,c=TLD
    cn=admin2,ou=administrators,o=company,c=TLD
    [...]

    When I use the default permission set:

        access to attribute=userPassword
            by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
            by anonymous auth
            by self write
            by * none

        access to *
            by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
            by * read

    I can for examlpe add new administrators with user 'admin1'
    without problems.

    My first attempt to add permission to let admin2 do the same
    thing as admin1 was just to add the line
    
        by dn="cn=admin2,ou=administrators,o=company,c=TLD" write

    right after the admin1 line.

    I didn't took long I figured out it was too inefficient and I
    search for a way to match all cn's in the administrator ou.
    I thought by replacing the admin(1|2) lines with

        by dn="cn=*,ou=administrators,o=company,c=TLD" write

    all would be done. I can login successfully, but when I
    attempt to create another administrator, I always get:

        Root error: [LDAP: error code 50 - no write access to parent]

    (from the client). In fact I get this error for every new
    entry I try to add.
    
    The slapd access log shows me:

access_allowed: write access to "ou=Administrators, o=company,c=TLD" "children" requested 
acl_get: [1] check attr children 
acl_get: [2] check attr children 
acl_get: [2] acl ou=Administrators, o=company,c=TLD attr: children 
acl_mask: access to entry "ou=Administrators, o=company,c=TLD", attr "children" requested 
acl_mask: to all values by "CN=ADMIN,OU=ADMINISTRATORS,O=COMPANY,C=TLD", (=n)  
check a_dn_pat: cn=*,ou=administrators,o=company,c=TLD 
check a_dn_pat: * 
acl_mask: [2] applying read (=rscx) (stop) 
acl_mask: [2] mask: read (=rscx) 
access_allowed: write access denied by read (=rscx) 

    I can clearly see what's going wrong (the read mask
    successfully applies first so the access process stops) but I
    don't know how to solve it (i.e. what the right dn entry
    should be).

    Thanks in advance for any hint!

    kind regards,
        - Markus

-- 
Please always Cc to me when replying to me on the lists.
GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc

Follow-Ups:
- Re: Specifying write access for more then one user?
  - From: Markus Fischer <mfischer@guru.josefine.at>

Prev by Date: TLS/SSL problems
Next by Date: Re: Backsql faster then sleepycat dbm?
Index(es):
- Chronological
- Thread