[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: what is wrong with my permissions?



Igor Shmukler <igor.shmukler@gmail.com> writes:

> Further, I just unsuccessfully tried one more thing: Adding another
> line to olcAccess for individual DIT databases, [i.e. dn:
> olcDatabase={1}hdb,cn=config and dn: olcDatabase={2}hdb,cn=config ]
> olcAccess: {3}to * by dn.exact=cn=config

Yes, that's needed.

> I am still getting an error: no write access to parent.
>
> A fragment from my slapcat(8) output:
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
>  s auth by dn="cn=admin,dc=directory,dc=com" write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to * by self write by dn="cn=admin,dc=directory,,dc=com
>  " write by * read

There is a double comma here.  But the problem is that this line will
always terminate the ACL processing, because "to * ... by * read" always
matches.

> olcAccess: {3}to * by dn.exact=cn=config

This line is never reached.  Move it to the front instead:

olcAccess: {0}to * by dn.exact=cn=config
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by * read

For the consistency's sake you may want to stick either to dn.base or
dn.exact (they are the same).  Also, the rootDN is unaffected by ACLs,
so its pointless to mention it in the rules.
-- 
Feri.