[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: read ACL working but write ACL not
Hi,
JOYDEEP <j.bakshi@unlimitedmail.org> writes:
> Dieter Kluenter wrote:
>> JOYDEEP <j.bakshi@unlimitedmail.org> writes:
>>
>>
>>> Gavin Henry wrote:
>>>
>>>> <quote who="JOYDEEP">
>>>>
>>>>
>>>>> Dieter Kluenter wrote:
>>>>>
>>>>>
>>
>>
>>> Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 ADD
>>> dn="uid=cf594fcd2bace89814a3a2a62e6f9f91,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap"
>>> Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 RESULT
>>> tag=105 err=50 text=no write access to parent
>>>
>>> I'v also tried with
>>> dn.regex="^cn=([^,]+),ou=personal,ou....................... but with
>>> the same efect
>>>
>>>
>>
>> Please set loglevel to ACL and check which access rule matches first.
>>
>> -Dieter
>>
>>
> OK Dieter,
> I have set loglevel 128
>
> The ACL I have for read and write are
>
> ################ personal ACL #######################
> ###################### read #######################
> access to
> dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
> by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap"
> read
> by * none
> ######################## write ############################
> access to
> dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap"
>
> attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson
> by
> dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write
> by users none
>
> now If I try to add in addressbook it gives errors as
> ---------------------------------------------------------------
>
> Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: access to
> entry "cn=admin,ou=personal,ou=contacts,o
> u=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap", attr
> "children" requested
> Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: to all values
> by "uid=admin,ou=users,virtualDomain=
> kolkata.opendingo.com,dc=suse,dc=ldap", (=n)
> Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= check a_dn_pat:
> uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=l
> dap
> Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] applying
> read(=rscx) (stop)
> Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] mask:
> read(=rscx)
> Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write
> access denied by read(=rscx)
>From the log one can see that the first access rule is applied and no
further checking is done. Please put your access rules in the correct
order.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6