[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with ACL's for Users/Groups

I think your ACLs are not allowing you to do what you want, but I can't say for sure without knowing how your client is binding to your directory.

If you turn on openldap's logging for ACL parsing, you should see the connection and if it was allowed or denied for the given bind.

( 128 (0x80 ACL) access control list processing : see man slapd.conf for details under loglevel )

Give that a try, and then you should be able to relax or adjust your ACLs to allow access.

I hope that helps

On Jul 30, 2008, at 10:42 PM, david stackis wrote:

Hi -

First off, I want to apologize for posting to list when I really should
have read more.
Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin
Guide....and I'm still scratching my head wondering why this isn't working.

Here's my structure...
I have two Groups..."Home", and "Work"
I have two Users..."Me", and "You" These users have passwords

I can search my LDAP using the rootdn, and I'm able to add to each of the
Group AddressBooks "Home", and "Group" using the rootdn. What I can't seem
to do, is have user "Me" or "You" access any of the AddressBooks.

The user "Me" has access to "Home and "You" has access to "Work" each have
two different email addresses.

Again...the rootdn can see everything in Thunderbird...but it's "Me" and
"You" that seem to have no access/
Could someone please point me in the right direction.

I'm also using Apache Directory Studio, and I verified that the four
entries I added...two being place in the "Home" AddressBook, and the other
two in the "Work" AddressBook. The ACL's I'm using are below...and further
down is my LDIF I used to create my structure.

I've tried attrs=userPassword, and attr=userPassword...I've seen both of
these examples used

Thank you for any help.

# ACL1
access to attrs=userPassword
       by self write
       by anonymous auth
# ACL2
access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com"
       by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write
# ACL3
access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read
access to dn.base="" by * read
# ACL4
access to dn.base="cn=Subschema" by * read
# ACL5
disallow bind_anon

The LDIF I used...
# Initialize the suffix entry defined in slapd.conf
dn: dc=MyCompany,dc=com
objectclass: top
objectclass: organization
objectclass: dcObject
dc: MyCompany
o: cctr

# Initialize the AddressBooks heirarchy
dn: ou=AddressBooks,dc=MyCompany,dc=com
objectclass: top
objectclass: organizationalUnit
ou: AddressBooks

# Define individual address books
dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com
objectclass: top
objectclass: organization
o: Home

dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com
objectclass: top
objectclass: organization
o: Work

# Initialize the Users heirarchy
dn: ou=Users,dc=MyCompany,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Users

# Define individual users
dn: cn=Me,ou=Users,dc=MyCompany,dc=com
objectclass: top
objectclass: person
cn: Me
sn: My LastName
userPassword: {crypt}XXXXXX

dn: cn=You,ou=Users,dc=MyCompany,dc=com
objectclass: top
objectclass: person
cn: You
sn: You LastName
userPassword: {crypt}XXXXXX

# Initialize the Groups heirarchy
dn: ou=Groups,dc=MyCompany,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Groups

# Group users into separate address books
dn: o=Home,ou=Groups,dc=MyCompany,dc=com
objectclass: top
objectclass: groupOfNames
cn: Home
member: cn=Me,ou=Users,dc=MyCompany,dc=com

dn: o=Work,ou=Groups,dc=ucsb,dc=edu
objectclass: top
objectclass: groupOfNames
cn: Work
member: cn=You,ou=Users,dc=MyCompany,dc=com

------------------- david stackis

++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd