[Date Prev][Date Next] [Chronological] [Thread] [Top]

Simple - I hope -- ACL problem

To: openldap-software@OpenLDAP.org
Subject: Simple - I hope -- ACL problem
From: Bruce Platt <Bruce@ei3.com>
Date: Thu, 3 Jun 2004 14:26:13 -0400

I have constructed an openldap 2.1.30 scheme (the system also has db-4.2.52,
both following Quanah's suggestions.)

The schema looks like so:

o=domain.com
cn=reader
ou=HQ
cn=Manager HQ
cn=Person1
cn=Person2
ou=OU1
cn=Manager OU1
cn=Person1
cn=Person2
ou=OU2
cn=Manager OU2
cn=Person1
cn=Person2
	ou=OU2-SubOU1
	cn=Person1
	cn=Person2

etc.

I have an acl structure which works fine for allowing Managers access to
their OUs and the subordinate OUs within the OU of which that manager is a
part.  And, of course the "rootdn" can access any record.

But I think I am doing something insanely stupid in that I have omitted
something critical when trying to implement the following:

I wanted to add another cn record called "reader" which has read and
therefore search access to all entries from the o=domain.com on down.  For
the life of me, I can not make this last work.

For all tests I am using Jarek Gawor's Ldap Browser/Editor v2.8.1

I have removed all acls from the slapd.conf and restarted slapd with a debug
value of -168, save for this:

access to *

       by * read 

This of course works just fine and enumerates every entry in the db when
querying as "cn=reader,o=domain.com".

However, when I try the following as the only acl entry in my slapd.conf, I
have no access to anything other then o=domain.com in the browser left pane
with no attributes listed in the right pane.

access to *

        by dn="cn=reader,o=domain.com" read

I have also tried dn.exact and dn.base to no avail. 

Looking at the slapd debug output, I see lines like:

=> access_allowed: search access to "ou=OU1,o=domain.com" "objectClass"
requested
=> dnpat: [1] cn=reader,o=domain.com nsub: 0
=> acl_get: [2] check attr objectClass
<= acl_get: [2] acl ou=OU1,o=domain.com attr: objectClass
=> acl_mask: access to entry "ou=OU1,o=domain.com", attr "objectClass"
requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: cn=reader,o=domain.com
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: search access denied by =n
<= test_filter 50
=> test_filter
    PRESENT
=> access_allowed: search access to "cn=reader,o=domain.com" "objectClass"
requested
=> dnpat: [1] cn=reader,o=domain.com nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl cn=reader,o=domain.com attr: objectClass
=> acl_mask: access to entry "cn=reader,o=domain.com", attr "objectClass"
requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: search access denied by =n
<= test_filter 50

So, someting is not allowing this acl to be effective.  Can someone show me
where I am going wrong?

Thanks and regards,

Bruce

Follow-Ups:
- Re: Simple - I hope -- ACL problem
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Can't contact Ldap server
Next by Date: Re: Simple - I hope -- ACL problem
Index(es):
- Chronological
- Thread