Re: Problem with ACL in 2.4.22

[Thierry Lacoste <lacoste@u-pec.fr>]

On 28 déc. 10, at 16:07, Nick Milas wrote:

> Hi,
>
> I have upgraded from 2.3.43 to 2.4.22 on CentOS 5.5.
>
> Everything works fine, except my ACLs don't work on the new version.  
> Strange results occur.
>
> Has anything changed significantly in v2.4 ACLs in comparison to  
> v2.3 ACLs?
Just a guess.
According to http://www.openldap.org/doc/admin24/appendix- 
upgrading.html:
  'Search operations now require "search" privileges on the "entry"  
pseudo-attribute of the search base.'
Maybe you need to add the search privilege at an upper level in your  
DIT.

Regards,
Thierry
> For example, the following piece of code works as expected in v2.3  
> but not in v2.4. If some user logs in and is a member of a  
> GroupXAdmins (where X = 1-6), he can't see the branch at all.
>
> # Allow access to entries of the subtree
> #
> access to dn.sub="dc=12.11.10.in- 
> addr.arpa,ou=dns1,dc=example,dc=com" attrs="children,entry"
>        by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com"  
> write
>        by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com"  
> read
>        by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com"  
> read
>        by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com"  
> write
>        by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com"  
> read
>        by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com"  
> read
>        by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
>        by * break
>
> # Allow access to all attributes of the subtree
> #
> access to dn.sub="dc=12.11.10.in-addr.arpa,ou=dns1,dc=example,dc=com"
>        by group.exact="cn=Group1Admins,ou=Groups,dc=example,dc=com"  
> write
>        by group.exact="cn=Group2Admins,ou=Groups,dc=example,dc=com"  
> read
>        by group.exact="cn=Group3Admins,ou=Groups,dc=example,dc=com"  
> read
>        by group.exact="cn=Group4Admins,ou=Groups,dc=example,dc=com"  
> write
>        by group.exact="cn=Group5Admins,ou=Groups,dc=example,dc=com"  
> read
>        by group.exact="cn=Group6Admins,ou=Groups,dc=example,dc=com"  
> read
>        by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=com" read
>
> where Groups are of the form:
>
>   dn: cn=Group1Admins,ou=Groups,dc=example,dc=com
>   objectClass: groupOfNames
>   cn: Group1Admins
>   member: uid=userx,ou=people,dc=example,dc=com
>
> Please, help.
>
> Nick