[ILUG] ldap acl problem
[ILUG] ldap acl problem
Bernhard D Rohrer
graylion at sm-wg.net
Thu Apr 12 13:59:09 IST 2007
Hi folks, this has beend riving me up the wall for a while now:
I am trying to get an acl for an address book to work.
the relevant acl statements are:
access to attrs=userPassword,userPKCS12
by dn="cn=admin,dc=graylion,dc=net" write
by anonymous auth
by self write
by * none
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
by dn="uid=$1,ou=users,dc=graylion,dc=net" write
by dn.regex="cn=admin,dc=graylion,dc=net" read
by users none
access to dn.base=""
by * read
access to *
by dn="cn=admin,dc=graylion,dc=net" write
by * read
I have also tried using
by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
but in all cases I get (when I try to add something to my personal
address book):
Apr 12 12:59:32 collab slapd[17093]: do_add
Apr 12 12:59:32 collab slapd[17093]: >>> dnPrettyNormal:
<uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>
Apr 12 12:59:32 collab slapd[17093]: <<< dnPrettyNormal:
<uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>,
<uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>
Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 ADD
dn="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 12 12:59:32 collab slapd[17093]:
bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")
Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id(
"uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
)
Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 12 12:59:32 collab slapd[17093]: bdb_referrals: op=104
target="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
matched="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry
(uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net),
objectClass "inetOrgPerson"
Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry
(uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net),
objectClass "mozillaAbPersonAlpha"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "uid"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "objectClass"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "cn"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "givenName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "sn"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "displayName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "c"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type
"structuralObjectClass"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryUUID"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "creatorsName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type
"createTimestamp"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryCSN"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifiersName"
Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type
"modifyTimestamp"
Apr 12 12:59:32 collab slapd[17093]:
bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")
Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id(
"uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
)
Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access to
"cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" "children"
requested
Apr 12 12:59:32 collab slapd[17093]: => dn: [2]
Apr 12 12:59:32 collab slapd[17093]: => dnpat: [3]
cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] matched
Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] attr children
Apr 12 12:59:32 collab slapd[17093]: => acl_mask: access to entry
"cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net", attr
"children" requested
Apr 12 12:59:32 collab slapd[17093]: => acl_mask: to all values by
"uid=graylion,ou=users,dc=graylion,dc=net", (=n)
Apr 12 12:59:32 collab slapd[17093]: <= acl_mask: no more <who> clauses,
returning =n (stop)
Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access
denied by =n
Apr 12 12:59:32 collab slapd[17093]: bdb_add: no write access to parent
Apr 12 12:59:32 collab slapd[17093]: send_ldap_result: conn=72 op=2 p=3
Apr 12 12:59:32 collab slapd[17093]: send_ldap_response: msgid=3 tag=105
err=50
Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 RESULT tag=105 err=50
text=no write access to parent
now
dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
seems to tell me that the regex gets matched correctly but on the other
hand it totally seems to not find
'by dn="uid=$1,ou=users,dc=graylion,dc=net" write'
I seem to be missing something obvious. what is it?
thanks
Bernhard
--
Graylion's Fetish & Fashion Store
Goth and Kinky Boots, Clothing and Jewellery
http://www.graylion.net
More information about the ILUG
mailing list Read this without the formatting . 
