[Date Prev][Date Next]
acl sets don't appear to work
I'm running OpenLDAP 2.1.30 on a Gentoo linux system. I've been running
this with samba 3.0.14a very successfully for over a year. When I set
this system up, I followed the howto presented by idealx.org, and I've
been pretty happy with the results.
But, recently, I decided that logging in as root and/or cn=Manager to do
maintenance on the DIT was not a very good idea. I figured, having a
"Domain Admins" group defined in my ldap directory should provide me
with an excellent control for who can/cannot edit the DIT...
regretfully, the memberUID attribute only stores the shortname for
users, so this has complicated setting up acl's for superuser access to
I discovered acl sets. But, I can't seem to get them working.
I've followed the examples in the Faq-O-Matic
"Sets in Access Controls"
"Sets as 'reverse groups'
I even went so far as to insert an extremely basic acl at the beginning
of the acl list
access to dn="uid=testuser,ou=Users,dc=example,dc=com"
by set.exact="user/uid & [adminuser]" write
by * read
when I attempt to edit an attribute of this user, I get ...
Jan 19 19:31:20 [slapd] => acl_mask: access to entry
"uid=testuser,ou=Users,dc=example,dc=com", attr "description" requested_
Jan 19 19:31:20 [slapd] => acl_mask: to all values by
"uid=adminuser,ou=users,dc=example,dc=com", (=n) _
Jan 19 19:31:20 [slapd] <= check a_dn_pat: *_
Jan 19 19:31:20 [slapd] <= acl_mask:  applying read(=rscx) (stop)_
Jan 19 19:31:20 [slapd] <= acl_mask:  mask: read(=rscx)_
Jan 19 19:31:20 [slapd] => access_allowed: write access denied by
this is obviously a less complex acl than I will need to allow all users
listed in the memberUid attribute of the posixAccount, but if I can't
make this work, I'll never make the real acl work. Am I configuring it
wrong, or is there a config option that I missed during compilation?