[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Assistance Requested
I'm attempting to grant permission to a user account object in my
OpenLDAP directory to write to an OU and I can't yet figure out the
proper ACL to use. If I grant write access to everybody on everything
it works, but with the following configuration it does not.
I'm using OpenLDAP 2.3.34 on CentOS 4.5.
I'm using the following ACLs:
access to attrs=userPassword
by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read
by dn.exact="cn=Manager,dc=example,dc=org" write
by self write
by anonymous auth
by * none
access to dn="ou=printers,dc=example,dc=org"
by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write
by dn.exact="cn=manager,dc=example,dc=org" write
by * read
access to *
by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read
by self write
by * read
I'm trying to give write permission to the cupsd object:
uid=cupsd,ou=people,dc=example,dc=org
I can authenticate using ldapsearch, but I'm unable to add any objects
to this OU (confirming read, authenticated access), getting the
following results:
$ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D
"uid=cupsd,ou=people,dc=example,dc=org" -W
Enter LDAP Password:
adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org"
ldap_add: Insufficient access (50)
additional info: no write access to entry
A verbose log indicates the following:
conn=2 op=3 MOD dn="cn=<printer IP>,ou=printers,dc=example,dc=org"
conn=2 op=3 MOD attr=cn printerDescription printerURI printerLocation
printerMakeAndModel printerType objectClass
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
=> bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org"
=> bdb_entry_get oc "(null)", at "(null)"
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
=> bdb_entry_get found entry "cn=<printer
IP>,ou=printers,dc=example,dc=org"
bdb_entry_get rc=0
=> bdb_entry_get ndn "cn=default,ou=policies,dc=example,dc=org"
=> bdb_entry_get oc "(null)", at "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=example,dc=org")
=> bdb_entry_get found entry "cn=default,ou=policies,dc=example,dc=org"
bdb_entry_get rc=0
=> bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org"
=> bdb_entry_get oc "(null)", at "(null)"
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
=> bdb_entry_get found entry "cn=<printer
IP>,ou=printers,dc=example,dc=org"
bdb_entry_get rc=0
bdb_modify cn=<printer IP>,ou=printers,dc=example,dc=org
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
bdb_modify_internal 0x00000096 cn=<printer
IP>,ou=printers,dc=example,dc=org
=> access_allowed delete access to "cn=<printer
IP>,ou=printers,dc=example,dc=org" "cn" requested
=> dn [2] ou=printers,dc=example,dc=org
=> acl_get [3] attr cn
access_allowed no res from state (cn)
=> acl_mask access to entry "cn=<printer
IP>,ou=printers,dc=example,dc=org", attr "cn" requested
=> acl_mask to all values by "uid=cupsd,ou=people,dc=example,dc=org", (=0)
<= check a_dn_pat uid=replicator,ou=people,dc=example,dc=org
<= check a_dn_pat self
<= check a_dn_pat *
<= acl_mask [3] applying read(=rscxd) (stop)
<= acl_mask [3] mask read(=rscxd)
=> access_allowed delete access denied by read(=rscxd)
bdb_modify modify failed (50)
So it looks like a read ACL is preventing the write. What would be the
proper way to write the ACLs for this task?
TIA,
--
Joshua M. Miller - RHCE,VCP