[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL question
Dear all,
I have a group called 'Domain Admins' (surprise!), and I just can't get
people in that group to delete any people from group
ou=Users,dc=my,dc=domain. I've been trying to find out what's wrong,
read many web pages, but still can't locate the error. I have the
following ACLs which control 'Domain Admins' access to my directory:
access to dn.base="dc=my,dc=domain"
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by * none
access to dn="ou=Users,dc=my,dc=domain" attr=children
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by * none
If I have user called e.g. uid=someuser,ou=Users,dc=my,dc=domain, who is
a member of group cn=Domain Admins,ou=Groups,dc=my,dc=domain, and I try
to delete another user in group ou=Groups,dc=my,dc=domain
ldapdelete -x -Z -D "uid=someuser,ou=Users,dc=my,dc=domain" -W \
"uid=usertodelete,ou=Users,dc=my,dc=domain"
I'll receive an error message
Delete Result: Insufficient access (50)
Additional info: no write access to parent
However, if I just try to search data fro user 'usertodelete', e.g.
ldapsearch -x -Z -D "uid=someuser,ou=Users,dc=my,dc=domain" -W \
"uid=usertodelete,ou=Users,dc=my,dc=domain"
I get result
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=usertodelete,ou=Users,dc=my,dc=domain
# requesting: ALL
#
# search result
search: 2
result: 0 Success
meaning that ldapdelete can't find 'usertodelete' from LDAP directory.
If I just try this
ldapdelete -x -Z -D "uid=someuser,ou=Users,dc=my,dc=domain" -W \
"uid=usertodelete"
I'll receive an error
Delete Result: Server is unwilling to perform (53)
Additional info: no global superior knowledge
I suppose the error is very simple, but I just can't see it. I would
appreciate any help, or any links to a websites which have good ACL
examples.
My OpenLDAP version is 2.2.13-4. This is ACL section in my
/etc/openldap/slapd.conf file:
---
# users can authenticate and change their password
access to \
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, \
sambaPwdMustChange
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by dn="cn=nssldap,ou=DSA,dc=my,dc=domain" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can
# answer correctly
access to \
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by * read
# somme attributes can be writable by users themselves
access to \
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell, \
gecos,cn,sn,givenname
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by self write
by * read
# some attributes need to be writable for samba
access to \
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,\
sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,\
sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,\
sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,\
sambaDomainName,sambaMungedDial,sambaBadPasswordCount,\
sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,\
sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,\
sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,\
sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,\
sambaStringOption,sambaStringListoption
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by self read
by * none
access to dn.base="dc=my,dc=domain"
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by * none
# For "Domain Admins"
access to dn="ou=Users,dc=my,dc=domain" attr=children
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by * none
access to dn="ou=Computers,dc=my,dc=domain" attr=children
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by * none
access to dn="ou=Groups,dc=my,dc=domain" attr=children
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by * none
access to dn="ou=Printers,dc=my,dc=domain" attr=children
by group="cn=Domain Admins,ou=Groups,dc=my,dc=domain" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=my,dc=domain"
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=my,dc=domain"
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=my,dc=domain"
by dn="cn=samba,ou=DSA,dc=my,dc=domain" write
by dn="cn=smbldap-tools,ou=DSA,dc=my,dc=domain" write
by * none
# For PHPLDAPAdmin
access to dn="cn=subschema"
by * read
access to *
by dn="cn=replicator,ou=DSA,dc=my,dc=domain" read
by self read
by * none
---
Jukka Hienola
--
IT Services Administrator, Department of Physical Sciences,
University of Helsinki, firstname lastname at helsinki fi,
tel. +358 (0)9 191 50713, fax. +358 (0)9 191 50610