[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL's for ACI use



I'm trying to use the following ACL:
----- s n i p -----
access to dn.base=""
        attrs=supportedSASLMechanisms,namingContexts
        by domain=".*\.bayour\.com" read
        by peername="IP=127\.0\.0\.1:.*" read
        by * search

access to attrs=dc,c,o,ou,krb5PrincipalName,objectClass,entry
        by domain=".*\.bayour\.com" read
        by peername="IP=127\.0\.0\.1:.*" read
        by aci=OpenLDAPaci write

access to * by * none
----- s n i p -----

The ACI entry (in _every_ object looks like):
----- s n i p -----
openLDAPaci: 1#entry#grant;r,w,s,c;[all]#access-id#cn=turbo fredriksson,ou=people,o=fredriksson,c=se
----- s n i p -----

The command 'ldapwhoami' (with 'access to * by * read') say:
----- s n i p -----
[tuzjfi.tty2]$ ldapwhoami -h localhost
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn:cn=turbo fredriksson,ou=people,o=fredriksson,c=se
----- s n i p -----


What happens is the following:
----- s n i p -----
[tuzjfi.tty2]$ ldapsearch -x -LLL -h localhost -b c=SE -s one 'o=Agby' o
dn: o=Agby,c=SE
o: Agby
o: Jens Agby

[tuzjfi.tty2]$ ldapsearch -LLL -h localhost -b c=SE -s one 'o=Agby' o
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn: o=Agby,c=SE
o: Agby
o: Jens Agby

[tuzjfi.tty2]$ cat /tmp/agby.ldif
dn: o=Agby,c=SE
replace: o
o: Agby
o: Jens Agby with Family
[tuzjfi.tty2]$ ldapmodify -h localhost -f /tmp/agby.ldif
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
modifying entry "o=Agby,c=SE"
ldapmodify: update failed: o=Agby,c=SE
ldap_modify: Insufficient access (50)

[tuzjfi.tty2]$
----- s n i p -----


Could someone please enlighten me on why I get 'Insufficient access'?

I've been able to figure out that it have something to do with missing
(or in the wrong place) keywords 'continue' and/or 'break', but I can't
be able to figure out why/how (I think I've tried EVERY combination!).