[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Headaches
* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050922 20:52]:
> Every ACL listing now has
I think the error is now in the
'access to dn=".*,dc=qm"' Statement. Apparently you want dn.regex,
instead of dn.base (which is default), although I cannot see why.
Because this ACL is never evulated, your user has no write-access to
your LDAP-Tree.
If there not a pressing need to use dn.regex, use dn.subtree or
dn.children (look in man slapd.access)
> by dn="uid=silasb,ou=people,dc=qm" write
> by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write
Since you have now a working SASL-Regex the second by-clause will
never be evualeted true. The ACL-Engine sees only the modified ACLs,
so you can omit the second by-statement.
On a second note, if you want check a "dn" it is always better to use
dn.exact (usually that is what you want) (ok exact, or base, is the
default, but I like to have my ACLs 100% clear)
> ldap_add: Insufficient access (50)
> additional info: no write access to parent
--
Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309
E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
PGP-Fingerprint: 4BEF 23EA 02AE BACA 9918 31FF 285B 0426 0E1A B2FC
----------------- > encrypted E-Mail preferred <------------------------
- References:
- RE: ACL Headaches
- From: "Bennett, Silas \(GE Infrastructure\)" <Silas.Bennett@ge.com>