[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Usage of groups in an access control

Thanks Harry and Markus.

I did not read the page until the end :( Yesterday before I went to sleep the order thing (A firewall works this way too) came into my mind. I wanted to check it today. I moved the access rule up to 3rd place and I even removed all the by 'dn="cn=admin,dc=example,dc=com"' write rules to get rid of the warnings with slapacl. The output of slapacl is: # slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf
authcDN: "cn=my entry,ou=people,dc=example,dc=com"
entry: read(=rscxd)
children: read(=rscxd)
ou=abk1: read(=rscxd)
objectClass=organizationalUnit: read(=rscxd)
objectClass=top: read(=rscxd)
structuralObjectClass=organizationalUnit: read(=rscxd)
entryUUID=54995398-f44b-1031-87a4-17089ecb7055: read(=rscxd)
creatorsName=cn=admin,dc=example,dc=com: read(=rscxd)
createTimestamp=20130116171011Z: read(=rscxd)
entryCSN=20130116171011.288097Z#000000#000#000000: read(=rscxd)
modifiersName=cn=admin,dc=example,dc=com: read(=rscxd)
modifyTimestamp=20130116171011Z: read(=rscxd)

Strange that the children are still read. If I change dn.children to dn.subtree then everything changes to write but still no insert or delete. # slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf
authcDN: "cn=my entry,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
ou=Beauty: write(=wrscxd)
objectClass=organizationalUnit: write(=wrscxd)
objectClass=top: write(=wrscxd)
structuralObjectClass=organizationalUnit: write(=wrscxd)
entryUUID=54995398-f44b-1031-87a4-17089ecb7055: write(=wrscxd)
creatorsName=cn=admin,dc=example,dc=com: write(=wrscxd)
createTimestamp=20130116171011Z: write(=wrscxd)
entryCSN=20130116171011.288097Z#000000#000#000000: write(=wrscxd)
modifiersName=cn=admin,dc=example,dc=com: write(=wrscxd)
modifyTimestamp=20130116171011Z: write(=wrscxd)

I still cannot add or remove address-book entries but I know that I am on the right way. Perhaps there is some caching somewhere that is not cleaned when slapd is restarted. I will read the page to the end this time :)

Op 28-01-13 10:13, harry.jede@arcor.de schreef:
Hi Marco,

reread http://www.openldap.org/doc/admin24/access-control.html
may be more then one time ;-)

In short:
exchange rule 4 & 5

Remenber that ordering by tree (DN in what clause) is important.