[ILUG] Re: openldap ACL woes
[ILUG] Re: openldap ACL woes
Bernhard Rohrer
graylion at sm-wg.net
Thu Apr 17 23:28:32 IST 2008
Marcus Furlong wrote:
> On Wednesday 16 April 2008 14:56 in <4806058E.3020209 at sm-wg.net >, Bernhard
> Rohrer wrote:
>
>
>> Hi Guys
>>
>> I am struggling with my ACL
>>
>> I am trying to add an entry to my addressbook and am getting a permission
>> denied error with the log showing this:
>>
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=0 BIND
>> dn="uid=graylion,ou=users,dc=graylion,dc=net" method=128
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=0 BIND
>> dn="uid=graylion,ou=users,dc=graylion,dc=net" mech=SIMPLE ssf=0
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=0 RESULT tag=97 err=0 text=
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=1 SRCH
>> base="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" scope=0
>> deref=0 filter="(objectClass=*)"
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=1 ENTRY
>> dn="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=1 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=2 ADD
>>
>>
> dn="uid=6b64867845662ba2624a367c8023367f,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
>
>> Apr 15 22:56:37 collab slapd[4243]: conn=7 op=2 RESULT tag=105 err=50
>> text=no write access to parent
>>
>> the relevant piece of ACL reads:
>>
>> # allow user to create entries in own addressbook; no-one else can access
>> # it needs write access to the entries ENTRY attribute ...
>> access to
>> dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
>> attrs=entry, at inetOrgPerson , at mozillaAbPersonAlpha
>> by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
>> by dn.regex="cn=admin,dc=graylion,dc=net" read
>> by users none
>>
>>
>> # ... and the entries CHILDREN
>> #access to
>> #dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
>> attrs=children
>> by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
>> by dn.regex="cn=admin,dc=graylion,dc=net" read
>> by users none
>>
>> this all looks right to me, so Hjaelp!
>>
>
> Can you set loglevel to 128 in slapd.conf and post the resultant logs? This
> will show the acl processing.
>
> Marcus.
>
Sorry, took a bit:
Apr 16 21:32:03 collab slapd[10866]: conn=4 op=2 ADD
dn="uid=164d0840c019cc78f6980611b7d526e0,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 16 21:32:03 collab slapd[10866]: => access_allowed: add access to
"cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" "children"
requested
Apr 16 21:32:03 collab slapd[10866]: => dnpat: [2]
cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
Apr 16 21:32:03 collab slapd[10866]: => acl_get: [2] matched
Apr 16 21:32:03 collab slapd[10866]: => dnpat: [3]
^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$ nsub: 1
Apr 16 21:32:03 collab slapd[10866]: => dnpat: [4]
cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$ nsub: 1
Apr 16 21:32:03 collab slapd[10866]: => dnpat: [5]
cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$ nsub: 1
Apr 16 21:32:03 collab slapd[10866]: => dn: [6]
ou=servers,dc=graylion,dc=net
Apr 16 21:32:03 collab slapd[10866]: => dn: [7]
Apr 16 21:32:03 collab slapd[10866]: => acl_get: [8] attr children
Apr 16 21:32:03 collab slapd[10866]: => acl_mask: access to entry
"cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net", attr
"children" requested
Apr 16 21:32:03 collab slapd[10866]: => acl_mask: to all values by
"uid=graylion,ou=users,dc=graylion,dc=net", (=0)
Apr 16 21:32:03 collab slapd[10866]: <= check a_dn_pat:
cn=admin,dc=graylion,dc=net
Apr 16 21:32:03 collab slapd[10866]: <= check a_dn_pat: *
Apr 16 21:32:03 collab slapd[10866]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Apr 16 21:32:03 collab slapd[10866]: <= acl_mask: [2] mask: read(=rscxd)
Apr 16 21:32:03 collab slapd[10866]: => slap_access_allowed: add access
denied by read(=rscxd)
Apr 16 21:32:03 collab slapd[10866]: => access_allowed: no more rules
Apr 16 21:32:03 collab slapd[10866]: conn=4 op=2 RESULT tag=105 err=50
text=no write access to parent
thanks
Bernhard
More information about the ILUG
mailing list Read this without the formatting . 
