[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Usage of groups in an access control
- To: openldap-technical@openldap.org
- Subject: Re: Usage of groups in an access control
- From: Marco de Booij <marco.maillist@debooy.eu>
- Date: Mon, 28 Jan 2013 22:45:35 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scarlet.be; s=scarlet; t=1359409536; bh=rbc0uAtOuxxkolD5t369R2+PVjOOQzSqz5sOSG0faew=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=XojrXx/91cu6ekR4J6LQP1XxFUgp3eYtrJZ2PZZYMiBNgPD/C7j3nMBNB4dlgsoSu Irzm7pWcF8WZkuNaBIEDvVSUfxUr6gCOqqtDHdlC0rrAaQxvvkzJbSRTi16eDE8dnr 0oGr94CfCmpEl/sBBxaFjxEQAPR9/2pnq3i0aPuA=
- In-reply-to: <201301281013.08343.harry.jede@arcor.de>
- References: <51050765.6080600@debooy.eu> <201301281013.08343.harry.jede@arcor.de>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
Thanks Harry and Markus.
I did not read the page until the end :( Yesterday before I went to
sleep the order thing (A firewall works this way too) came into my mind.
I wanted to check it today. I moved the access rule up to 3rd place and
I even removed all the by 'dn="cn=admin,dc=example,dc=com"' write rules
to get rid of the warnings with slapacl. The output of slapacl is:
# slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My
ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf
authcDN: "cn=my entry,ou=people,dc=example,dc=com"
entry: read(=rscxd)
children: read(=rscxd)
ou=abk1: read(=rscxd)
objectClass=organizationalUnit: read(=rscxd)
objectClass=top: read(=rscxd)
structuralObjectClass=organizationalUnit: read(=rscxd)
entryUUID=54995398-f44b-1031-87a4-17089ecb7055: read(=rscxd)
creatorsName=cn=admin,dc=example,dc=com: read(=rscxd)
createTimestamp=20130116171011Z: read(=rscxd)
entryCSN=20130116171011.288097Z#000000#000#000000: read(=rscxd)
modifiersName=cn=admin,dc=example,dc=com: read(=rscxd)
modifyTimestamp=20130116171011Z: read(=rscxd)
Strange that the children are still read. If I change dn.children to
dn.subtree then everything changes to write but still no insert or delete.
# slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My
ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf
authcDN: "cn=my entry,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
ou=Beauty: write(=wrscxd)
objectClass=organizationalUnit: write(=wrscxd)
objectClass=top: write(=wrscxd)
structuralObjectClass=organizationalUnit: write(=wrscxd)
entryUUID=54995398-f44b-1031-87a4-17089ecb7055: write(=wrscxd)
creatorsName=cn=admin,dc=example,dc=com: write(=wrscxd)
createTimestamp=20130116171011Z: write(=wrscxd)
entryCSN=20130116171011.288097Z#000000#000#000000: write(=wrscxd)
modifiersName=cn=admin,dc=example,dc=com: write(=wrscxd)
modifyTimestamp=20130116171011Z: write(=wrscxd)
I still cannot add or remove address-book entries but I know that I am
on the right way. Perhaps there is some caching somewhere that is not
cleaned when slapd is restarted. I will read the page to the end this
time :)
Op 28-01-13 10:13, harry.jede@arcor.de schreef:
Hi Marco,
reread http://www.openldap.org/doc/admin24/access-control.html
may be more then one time ;-)
In short:
exchange rule 4 & 5
Remenber that ordering by tree (DN in what clause) is important.