[ILUG] ldap acl problem
[ILUG] ldap acl problem
paul at clubi.ie
paul at clubi.ie
Thu Apr 12 17:01:53 IST 2007
On Thu, 12 Apr 2007, Bernhard D Rohrer wrote:
> access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
> by dn="uid=$1,ou=users,dc=graylion,dc=net" write
> by dn.regex="cn=admin,dc=graylion,dc=net" read
> by users none
Why not the simpler:
access to dn.children="ou=personal,ou=contacts,dc=graylion,dc=net"
by self write
by dn="cn=admin,dc=graylion,dc=net" read
by users none
?
> access to dn.base=""
> by * read
>
> access to *
> by dn="cn=admin,dc=graylion,dc=net" write
> by * read
>
> I have also tried using
>
> by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
>
> but in all cases I get (when I try to add something to my personal
> address book):
>
> Apr 12 12:59:32 collab slapd[17093]: do_add
> Apr 12 12:59:32 collab slapd[17093]: >>> dnPrettyNormal:
> <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>
>
> Apr 12 12:59:32 collab slapd[17093]: <<< dnPrettyNormal:
> <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>,
> <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>
>
> Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 ADD
> dn="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
>
> Apr 12 12:59:32 collab slapd[17093]:
> bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")
>
> Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id(
> "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
> )
> Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed:
> DB_NOTFOUND: No matching key/data pair found (-30990)
> Apr 12 12:59:32 collab slapd[17093]: bdb_referrals: op=104
> target="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
> matched="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry
> (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net),
> objectClass "inetOrgPerson"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry
> (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net),
> objectClass "mozillaAbPersonAlpha"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "uid"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "objectClass"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "cn"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "givenName"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "sn"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "displayName"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "c"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type
> "structuralObjectClass"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryUUID"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "creatorsName"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type
> "createTimestamp"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryCSN"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifiersName"
> Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type
> "modifyTimestamp"
> Apr 12 12:59:32 collab slapd[17093]:
> bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")
>
> Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id(
> "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
> )
> Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed:
> DB_NOTFOUND: No matching key/data pair found (-30990)
> Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access to
> "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" "children"
> requested
> Apr 12 12:59:32 collab slapd[17093]: => dn: [2]
> Apr 12 12:59:32 collab slapd[17093]: => dnpat: [3]
> cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
> Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] matched
> Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] attr children
> Apr 12 12:59:32 collab slapd[17093]: => acl_mask: access to entry
> "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net", attr
> "children" requested
> Apr 12 12:59:32 collab slapd[17093]: => acl_mask: to all values by
> "uid=graylion,ou=users,dc=graylion,dc=net", (=n)
> Apr 12 12:59:32 collab slapd[17093]: <= acl_mask: no more <who> clauses,
> returning =n (stop)
> Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access
> denied by =n
> Apr 12 12:59:32 collab slapd[17093]: bdb_add: no write access to parent
> Apr 12 12:59:32 collab slapd[17093]: send_ldap_result: conn=72 op=2 p=3
> Apr 12 12:59:32 collab slapd[17093]: send_ldap_response: msgid=3 tag=105
> err=50
> Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 RESULT tag=105 err=50
> text=no write access to parent
>
> now
> dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
>
> seems to tell me that the regex gets matched correctly but on the other
> hand it totally seems to not find
>
> 'by dn="uid=$1,ou=users,dc=graylion,dc=net" write'
>
> I seem to be missing something obvious. what is it?
>
> thanks
>
> Bernhard
>
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
The cart has no place where a fifth wheel could be used.
-- Herbert von Fritzlar
More information about the ILUG
mailing list Read this without the formatting . 
