[Date Prev][Date Next] [Chronological] [Thread] [Top]

Am I still struggling with ACLs?

To: OpenLDAP List <openldap-software@OpenLDAP.org>
Subject: Am I still struggling with ACLs?
From: Josiah Ritchie <jritchie@bible.edu>
Date: Fri, 16 Jul 2004 14:53:49 -0400
Organization: Washington Bible College/Capital Bible Seminary

I'm trying to make changes to the database as a different user than the
Manager and I am running into problems. I've played with the ACLs a lot
and from what I can tell they are good, but if I change them to just
"access to * by * write" things work as expected. I've been reading tons
of stuff, and must be missing one obvious thing that is assumed or
something. Your help again is appreciated. Here's the issue in detail...

// I'm trying to run this command:
# ldapmodify -W 
 -D "uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu"

// I enter this change:
dn: cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
changetype: modify         
add: memberUid
memberUid: JasonStroup

// And get this response:
modifying entry "cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu"
ldapmodify: update failed: cn=Domain
Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
ldap_modify: Insufficient access (50)

// I'm using the following ACLs:

access to attr=userPassword
        by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
        by group.exact="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
        by self write
        by anonymous auth
        by * none break
access to *
        by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
        by group.exact="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
        by self write
        by * read

allow bind_v2

// uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu is listed as
a memberUid attr in cn=Domain
Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu

// This is the log report:
Jul 16 09:42:11 localhost slapd[6684]: conn=29 fd=14 ACCEPT from
IP=127.0.0.1:33559 (IP=0.0.0.0:389)
Jul 16 09:42:11 localhost slapd[6688]: conn=29 op=0 BIND
dn="uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu" method=128
Jul 16 09:42:11 localhost slapd[6688]: conn=29 op=0 BIND
dn="uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu"
mech=SIMPLE ssf=0
Jul 16 09:42:11 localhost slapd[6688]: conn=29 op=0 RESULT tag=97 err=0
text=
Jul 16 09:45:15 localhost slapd[6688]: conn=29 op=1 MOD dn="cn=Domain
Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu"
Jul 16 09:45:15 localhost slapd[6688]: conn=29 op=1 MOD attr=memberUid
Jul 16 09:45:15 localhost slapd[6688]: conn=29 op=1 RESULT tag=103
err=50 text=
Jul 16 09:45:15 localhost slapd[6688]: conn=29 op=2 UNBIND
Jul 16 09:45:15 localhost slapd[6688]: conn=29 fd=14 closed

Thanks for your help,
JSR/

Follow-Ups:
- Re: Am I still struggling with ACLs?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Am I still struggling with ACLs?
  - From: "Alexandre Garel" <garel.alexandre@agora.msa.fr>

Prev by Date: Re: solaris 8 client authentication to openldap (TLS issue)
Next by Date: Re: solaris 8 client authentication to openldap (TLS issue)
Index(es):
- Chronological
- Thread