[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slurpd question with GSSAPI
On Fri, Aug 27, 2004 at 09:50:10AM +0200, Dieter Kluenter wrote:
> > access to attrs=userPassword
> > by * auth
> >
> > access to *
> > by dn="uid=host/torch.cs.umd.edu@CS.UMD.EDU,cn=cs.umd.edu,
> > cn=gssapi,cn=auth"
> > by dn="uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=cs.umd.edu,
> > cn=gssapi,cn=auth"
> > by * read
> [...]
>
> rule 2 allows no write access.
Thanks, I figured this out, dumbass me.
I have another queastion though, I am now trying to allow my users with
gssapi creds to write to certain attributes in the directory,
here is the slapd.conf acl line,
access to dn="uid=(.*),ou=.*,dc=csic,dc=umd,dc=edu" attr=cn,givenName,sn,mailRoutingAddress,loginShell,gecos
by dn="uid=$1@csic.umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth" write
by self write
by * read
and the -d 128 slapd output,
=> access_allowed: write access to "uid=testing,ou=people,dc=csic,dc=umd,dc=edu" "cn" requested
=> dn: [1] uid=testing,ou=.*,dc=csic,dc=umd,dc=edu
=> acl_get: [2] attr cn
access_allowed: no res from state (cn)
=> acl_mask: access to entry "uid=testing,ou=people,dc=csic,dc=umd,dc=edu", attr "cn" requested
=> acl_mask: to all values by "uid=testing@csic.umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth", (=n)
<= check a_dn_pat: uid=derek@cs.umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth
<= check a_dn_pat: *
<= acl_mask: [2] applying read(=rscx) (stop)
<= acl_mask: [2] mask: read(=rscx)
=> access_allowed: write access denied by read(=rscx)
Can I not do what I am trying to do?
--
Derek T. Yarnell
UNIX System Administrator
Computer Science Deparment
University of Maryland