Re: Decyphering openldap ACL logs

[Dieter Kluenter <dieter@dkluenter.de>]

rajkumars@asianetindia.com writes:

> Hi,
>
> I am working on configuring qmail-ldap and facing some permission problems with my ldap configuration. 
>
> My  slapd.conf's acl section is some thing like 
>
> access to attr=userPassword
>         by anonymous auth
>
> access to *
>         by dn="cn=admin,dc=com" write
>         by aci write
>         by * read
> with aci's configured in my directory. 

You allowed read access to the enire tree.

> To debug the problem I enabled logging with level 128, and I am getting copious logs. I am some what able to make out what the logs mean, but in order to get the exact meaning I searched for some documentation about the logs entries. But could not find any. 
>
> One of my logs fragment looks like this:
> => access_allowed: write access to "dc=cse,dc
> =com" "entry" requested 
> => acl_get: [1] check attr entry 
> => acl_get: [2] check attr entry 
> <= acl_get: [2] acl dc=cse,dc=com attr: entry
> => acl_mask: access to entry "dc=cse,dc=com", attr "entry" requested 
> => acl_mask: to all values by "uid=mailadmin, dc=com", (=n)  
> <= check a_dn_pat: cn=admin,dc=com 
> <= check a_dn_pat: * 
> <= acl_mask: [3] applying read(=rscx) (stop) 
> <= acl_mask: [3] mask: read(=rscx) 
> => access_allowed: write access denied by rea
> d(=rscx) 

uid=mailadmin,dc=com requests write access, rule 3 is applied, which
is 'access to * by * read'

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de