[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: group access "write" in OpenLDAP 2.1.4



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michiko Nagara

> Hello,
>
> I have a question about the group access.
> I am using OpenLDAP 2.1.4 + BerkeleyDB 4.0.14.
> OS: Solaris 8, Turbolinux 7.0
>
> I have created the following group.
> (made reference to FAQ:
>  How do I use groups as manage access contorls?)
>
> +-dc=example,dc=com
> +--cn=administrators,dc=example,dc=com
> +--cn=fred blogs,dc=example,dc=com
>
> LDIF:
>
> dn:cn=administrators,dc=example,dc=com
> cn: administrators of this region

You need a "cn: administrators" value to match the specified DN.

> objectclass: groupOfNames
> objectclass: top
> member: cn=fred blogs,dc=example,dc=com
> member: cn=somebody else,dc=example,dc=com
>
> slapd.conf : the GROUP access acl
>
> access to *
>       by group="cn=administrators,dc=example,dc=com" write
>       by * auth
>
> When I tried to modify dn "cn=fred blogs,dc=example,dc=com",
> it works fine.
> But when I tried to search filter "(objectclass=*)", I got
> no entries.
>
> # extended LDIF
> #
> # LDAPv3
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
> When I used OpenLDAP 2.1.3 with same acl as the above-mentioned,
> I could get all entries.
> Also, I changed group.c v1.9.2.4 to v1.9.2.3 in OpenLDAP 2.1.4
> and rebuilt, I could get all entries.

This is odd, since the only difference between v1.9.2.3 and v1.9.2.4 is in
the debug log statements. But there is, unfortunately, an error that was
introduced in v1.9.2.5 which was in the 2.1.4 release. The fix is in the CVS
HEAD and in v1.9.2.7, which will be in the 2.1.5 release.
>
> When version 2.1.4 is used, should I do anything else?

You should be able to do things exactly the same as in 2.1.3, but for this
error. Get the update and it will work.
>
> I apologize for the unskilled English language and long writing.

Nothing to apologize for, your post was clear.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support