[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem in slapd.conf

To: Tomasz Chmielewski <mangoo@wpkg.org>
Subject: Re: ACL problem in slapd.conf
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Fri, 04 Sep 2009 14:08:48 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4AA0E5C6.7000700@wpkg.org>
References: <4AA0E5C6.7000700@wpkg.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.4pre) Gecko/20090825 Shredder/3.0b4pre

On 04/09/2009 12:02, Tomasz Chmielewski wrote:

I would like to allow a user to edit everything in a given subtree.


For example, I would like to allow
uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in
*,ou=Users,dc=example,dc=com.


I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up
access for that user, but I keep getting "insufficient access".

onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389)
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com"
mech=SIMPLE ssf=0
conn=5 op=0 RESULT tag=97 err=0 text=
conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com"
conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry




My rule in slapd.conf is:

access to dn="ou=Users,dc=example,dc=com"
by dn="uid=Operator,ou=Users,dc=example,dc=com" write
by dn="uid=Operator,ou=Users,dc=example,dc=com" read


I also tried to use:

access to dn.subtree="ou=Users,dc=example,dc=com"
...

But then I'm not even able to connect.

Hi,

I recommend that you read the chapter on access control from the*OpenLDAP* admin guide:

http://www.openldap.org/doc/admin24/access-control.html

In this particular case, I expect that you have other access rules thatmay be blocking this one - remember that order is important, and thefirst rule matching on the <what> part will define the access level.


Help in setting up ACLs is available through two other means:

1) If you use the command line ldap* tools, they often output someadditional info along with the error 50, like this:


ldap_delete: Insufficient access (50)
	additional info: no write access to parent

2) You can enable loglevel acl in your configuration file and check thelogs to see which rules are being used.

I hope this helps. If you have further questions, don't hesitate to postback here with your full set of ACLs, and information on the version ofslapd you're using.


Regards,
Jonathan

Follow-Ups:
- Re: ACL problem in slapd.conf
  - From: Tomasz Chmielewski <mangoo@wpkg.org>

References:
- ACL problem in slapd.conf
  - From: Tomasz Chmielewski <mangoo@wpkg.org>

Prev by Date: Re: ACL problem in slapd.conf
Next by Date: Re: ACL problem in slapd.conf
Index(es):
- Chronological
- Thread