[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problem
- To: openldap <openldap-software@OpenLDAP.org>
- Subject: Re: ACL problem
- From: Feifei Jia <shenmue71@gmail.com>
- Date: Tue, 1 Nov 2005 22:00:04 +0800
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=b5J6MtSH5f26r0QuDdnR0+B9VsiuGlNndVYpw8wc+O6YUs/yxKrC8zespMtAT0KdaQEGJWhyyiBz36OeA0NjLWfgK7tST23KOzb92CD2GDdYjrg+GMOAfZ+Z6Q0y36NtoE8a/+J9975MahngL4f1LOYbvP4USRTDWEA/Xo2ktKw=
- In-reply-to: <1130773664.5484.19.camel@mistral>
- References: <7522130a0510260553q1de0c6edk9510d187edf9d234@mail.gmail.com> <1130335875.14145.1.camel@mistral> <7522130a0510261912w7c588332j6681fe88ec0be66a@mail.gmail.com> <1130441554.19753.34.camel@mistral> <7522130a0510272231l2098fb3dy446edd0b1d4caea6@mail.gmail.com> <1130509896.23198.9.camel@mistral> <7522130a0510290428k5e8f05e6ie6b0a86778ba5ec9@mail.gmail.com> <43639733.5070907@amnh.org> <7522130a0510310545g69e0e01drf4de54f3f27a6522@mail.gmail.com> <1130773664.5484.19.camel@mistral>
On 10/31/05, Samuel Tran <stran@amnh.org> wrote:
> > > >>>>>>On Wed, 2005-10-26 at 20:53 +0800, Feifei Jia wrote:
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>>Hi there,
> > > >>>>>>>
> > > >>>>>>>What I want to do is:
> > > >>>>>>>
> > > >>>>>>>Let the RDN under ou=Admin,dc=com have write permission to the RDN
> > > >>>>>>>like uid=foo,ou=People,dc=com
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>Do you want any entries in ou=Admin,dc=com to be able to write to any
> > > >>>>>>entries in ou=People,dc=com?
> > > >>>>>>
> > > >>>>>>Sam
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>Yes, that's exactly what I want to do. Could you tell me how to acheive this?
> > > >>>>>
> > > >>>>>
> > > >>>>Try this:
> > > >>>>
> > > >>>>access to dn.subtree="ou=People,dc=com"
> > > >>>> by dn.one="ou=Admin,dc=com" write
> > > >>>>
> > > >>>>Sam
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>If I want to use regex to let DN like
> > > >>>"uid=test,ou=Admin,dc=demo1,dc=com" can write to entries in
> > > >>>"ou=People,dc=demo1,dc=com", and change "demo1" to "([^,]+)" , what
> > > >>>should I do? It seems I cannot combine subtree with regex.
> > > >>>
> > > >>>
> > > >>>
> > > >>According to man slapd.access, this should work for you:
> > > >>
> > > >>access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> > > >> by dn.one,expand="ou=Admin,dc=$1,dc=com"
> > > >>
> > > >>Let me know if it is fine.
> > > >>
> > > >>Sam
> > > >>
> > > >>
> > > >>
> > > >>
> > > >
> > > >It seems not work, only get "Insufficient access (50)" error :(
> > > >Maybe "dn,one" is not a good choice?
> > > >
> > > >
> > > Sorry I forgot the access field. It should be:
> > >
> > > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> > > by dn.one,expand="ou=Admin,dc=$1,dc=com" write
> > >
> > >
> > > --
> > > Sam
> > >
> >
> > Actually, I did add "write" in the "by" clause that day. And I run
> > "slapd -d 128", it showed something like "access denied" :(
> >
>
> Sorry I made a mistake; it should be $2 instead of $1 in the who clause:
>
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> by dn.one,expand="ou=Admin,dc=$2,dc=com" write
>
> Sam
>
Cool, that works, thanks.
But there's a weird problem, the "userPassword" of entries in
ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
the "userPassword", but when I used the "Password" to auth (say,
ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.
All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
added a new rule and put it before "access to attrs=userPassword"
(slapd.conf default ACL):
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
Still the same :(
--
Thanks~