[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: addressbook ACLs - cannot create contact in group address book.

To: openldap-software@openldap.org
Subject: Re: addressbook ACLs - cannot create contact in group address book.
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 19 Mar 2007 09:41:52 +0200
Cc: Bernhard D Rohrer <graylion@sm-wg.net>
In-reply-to: <45F9F463.8010903@sm-wg.net>
Organization: Telkom Internet
References: <45F9F463.8010903@sm-wg.net>
User-agent: KMail/1.9.6

On Friday 16 March 2007, Bernhard D Rohrer wrote:
> hi folks
>
> I have the following ACL for my groups:
>
> # Access to groups addressbooks
>
> # allow read of addressbook by members and egwadmin account
> access to
> dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
>          attrs=entry
>          by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read
>          by dn.regex="cn=admin,dc=graylion,dc=net" write
>          by users none
>
> # allow members to create entries in there group addressbooks; no-one
> else can access it
> # needs write access to the entries ENTRY attribute ...
> access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
>          attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha
>          by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write
>          by users none
>
> # ... and the entries CHILDREN
> access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
>          attrs=children
>          by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write
>          by users none
>
>
>
> the LDIF of one of my groups is:
>
> dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net
> cn: GraylionEnterprises
> gidNumber: 7
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: ...
> objectClass: top
> objectClass: posixGroup
>
> and the log shows this error:
>
> Mar 15 17:20:27 diskslave slapd[6657]: => bdb_entry_get: found entry:
> "cn=graylionenterprises,ou=groups,dc=graylion,dc=net"
> Mar 15 17:20:27 diskslave slapd[6657]: <= bdb_entry_get: failed to find
> objectClass
>
> while eGW shoes this error:
>
> Error saving the contact !!! Insufficient access: so_ldap: 503
>
> what is wrong? Anybody have any ideas?

You can't use a posixGroup (where the member attribute values are 
non-DN-valued) for ACLs without sets.

Either use a groupOfNames with member attribute (which contains the dn of the 
member, not the uid), or use sets (I believe there is an example on the 
FAQ-o-matic).

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpVJ5bqf6UGC.pgp
Description: PGP signature

References:
- addressbook ACLs - cannot create contact in group address book.
  - From: Bernhard D Rohrer <graylion@sm-wg.net>

Prev by Date: Re: OL2.4 provider && OL2.2 consumer?
Next by Date: Re: overlay order important and not documented?
Index(es):
- Chronological
- Thread