[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: read ACL working but write ACL not

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: read ACL working but write ACL not
From: JOYDEEP <j.bakshi@unlimitedmail.org>
Date: Mon, 09 Jul 2007 15:47:59 +0530
Cc: openldap-software@openldap.org
In-reply-to: <87ir8uq8tc.fsf@magenta.l4b.de>
References: <468E0E98.10501@unlimitedmail.org> <87vecxe2ip.fsf@magenta.l4b.de> <4691D1BB.4050402@unlimitedmail.org> <58660.212.159.59.85.1183963595.squirrel@webmail.suretecsystems.com> <4691DE03.70704@unlimitedmail.org> <87ir8uq8tc.fsf@magenta.l4b.de>
User-agent: Thunderbird 1.5 (X11/20060317)

Dieter Kluenter wrote:
> JOYDEEP <j.bakshi@unlimitedmail.org> writes:
>
>   
>> Gavin Henry wrote:
>>     
>>> <quote who="JOYDEEP">
>>>   
>>>       
>>>> Dieter Kluenter wrote:
>>>>     
>>>>         
>
>   
>> Jul  9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 ADD
>> dn="uid=cf594fcd2bace89814a3a2a62e6f9f91,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap"
>> Jul  9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 RESULT
>> tag=105 err=50 text=no write access to parent
>>
>> I'v also tried with 
>> dn.regex="^cn=([^,]+),ou=personal,ou.......................    but with
>> the same efect
>>
>>     
>
> Please set loglevel to ACL and check which access rule matches first.
>
> -Dieter
>
>   
OK Dieter,
I have set loglevel 128

The ACL I have for read and write are

################ personal ACL #######################
###################### read #######################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
  by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" 
read
  by * none
######################## write ############################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap"
  
attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson
   by
dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap"  write
   by users none

now If I try to add in addressbook it gives errors as
---------------------------------------------------------------

Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: access to
entry "cn=admin,ou=personal,ou=contacts,o
u=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap", attr
"children" requested
Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: to all values
by "uid=admin,ou=users,virtualDomain=
kolkata.opendingo.com,dc=suse,dc=ldap", (=n)
Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: <= check a_dn_pat:
uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=l
dap
Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] applying
read(=rscx) (stop)
Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] mask:
read(=rscx)
Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write
access denied by read(=rscx)
---------------------------------------------------------------------------------------------------------

if I disable the read ACL then I have no problem to save the contact.

Follow-Ups:
- Re: read ACL working but write ACL not
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- read ACL working but write ACL not
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>
- Re: read ACL working but write ACL not
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: read ACL working but write ACL not
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>
- Re: read ACL working but write ACL not
  - From: "Gavin Henry" <ghenry@suretecsystems.com>
- Re: read ACL working but write ACL not
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>
- Re: read ACL working but write ACL not
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: Problem with connections: closed (connection lost)
Next by Date: Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
Index(es):
- Chronological
- Thread