[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control by Organizational Unit?

Thanks to all for their help so far.

I am having a problem.. I can read, but not write to
the ldap db.

First, here is my set of access rules in slapd.conf:

access to * by * read
access to * by * search

access to *
            by self write
            by dn.base="cn=ldap-admin,o=test.com"
            by * none

access to dn.regex="[^,]*,(ou=.*)" attr=userPassword
        by self                         write
        by dn.regex="cn=Manager,$1"     write
        by *                            auth

access to  dn.regex="[^,]*,(ou=.*)"
        by  dn.regex="cn=Manager,$1"    write 
        by *                            read

access to dn.regex="(ou=.*)" attr=children 
        by dn.regex="cn=Manager,$1"     write 
        by *                            read

(Note, I changed the cn to Manager).

I can use the following command to successfully read
from the ldap db:

ldapsearch -LLL -b "ou=org1, o=test.com" -x -D \
  "cn=Manager, ou=org1, o=test.com" -w password \
  "(cn=*)" ou sn cn

And the correct data is read from the db.  Meaning all
the cn entries within the OU org1 are listed as one
would expect ftom the syntax of the ldapsearch

Great so far!

But, when I try to delete a person's cn entry, I
receive an error.  Here's the command:

ldapmodify -x -D "cn=Manager, ou=org1, o=test.com" \ 
-w password

and then enter the following from stdin:
dn: cn=Rock1 , ou=org1, o=test.com
changetype: delete
{blank line} followed by ENTER

I receive the following error on stdout:
"ldap_delete: Insufficient access (50)
        additional info: no write access to entry"

A slapd debug log (level 168) shows:

=> access_allowed: write access to "cn=Rock1 ,ou=org1
,o=test.com" "entry" requested
=> acl_get: [1] check attr entry
<= acl_get: [1] acl cn=Rock1,ou=org1,o=test.com attr:
=> acl_mask: access to entry
"cn=Rock1,ou=org1,o=test.com", attr "entry" requested
=> acl_mask: to all values by
"cn=manager,ou=org1,o=test.com", (=n) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: write access denied by read(=rscx)

So, clearly I have read access, but not write access
for the Manager entry in the org1 OU.

Also clearly I do not understand how to create the
access lists.

Any advice would be appreciated.  I decided that I can
have each OU use the dn: cn: Manager ou: org o:
test.com until I underastand more about the way this

Thanks for helping, I appreciate it muchly.


Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.