Re: simple acl

["Pierangelo Masarati" <ando@sys-net.it>]

> Hi again,
> i have a little more advanced ACL now. (Openldap 2.2.14)
> My aim is to allow the admin full write permissions, and the room admins
> to
> be able to manage their ou=room1 and room2.
>
> Here is my acl:
>
> ## Auth users
> access to attr=userPassword
>  by self write
>  by anonymous auth
>  by * none
>
> ## Full Admin Access
> access to *
>  by self write
>  by dn="cn=admin,o=addressbook,dc=example,dc=net" write
>  by * read

^^^
The above rule catches all; subsequent rules are never-ever checked.

>
> ## room1 admin access limited to ou=room1
> access to dn="ou=room1,o=addressbook,dc=example,dc=net"
>  by self write
>  by dn="cn=room1_admin,ou=room2,o=addressbook,dc=example,dc=net" write
>  by * read
>
> ## room2 admin access limited to ou=room1
> access to dn="ou=room2,o=addressbook,dc=example,dc=net"
>  by self write
>  by dn="cn=room2_admin,ou=room2,o=addressbook,dc=example,dc=net" write
>  by * read
>
> Now when i want to log in with evolution, evolution crashes.
> Am i using nonsense rules which makes it crash or whats going on here?

They are (partially) nonsense; if access rules on s directory server are
enough to crash a piece of software, that software really has problems.
I'm sorry I can't help about that.  I suggest you ask your vendor, or post
on a related list.  It may help to present them a full log of what the
client is trying to do before it crashes, though.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497