RE: ACL Headaches

Bennett, Silas \(GE Infrastructure\) Thu, 22 Sep 2005 15:44:49 -0700

Ok,

My slapd.access file now looks like:


#########
olcAccess: to dn.base=""
        by dn="cn=ldapadmin,dc=qm" write
        by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
        by dn.exact="uid=silasb,ou=people,dc=qm" write
        by self write
        by * read

olcAccess: to *
        by dn="cn=ldapadmin,dc=qm" write
        by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
        by dn.exact="uid=silasb,ou=people,dc=qm" write
        by * read
#########

ldap_add: Insufficient access (50)
        additional info: no write access to parent

Tried replacing dn.base="" with dn.base="dc=qm" dn.subtree="dc=qm" 
dn.children="dc=qm"
dn.subtree="" dn.children=""

Same story...



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Karsten
Gorling
Sent: Thursday, September 22, 2005 12:16 PM
To: [email protected]
Subject: Re: ACL Headaches


>* Bennett, Silas (GE Infrastructure) <[EMAIL PROTECTED]> [050922 20:52]:
>> Every ACL listing now has
>
>I think the error is now in the 
>'access to dn=".*,dc=qm"' Statement. Apparently you want dn.regex,
>instead of dn.base (which is default), although I cannot see why.
>Because this ACL is never evulated, your user has no write-access to
>your LDAP-Tree.
>
>If there not a pressing need to use dn.regex, use dn.subtree or
>dn.children (look in man slapd.access)
>
>>      by dn="uid=silasb,ou=people,dc=qm" write
>>      by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write
>
>Since you have now a working SASL-Regex the second by-clause will
>never be evualeted true. The ACL-Engine sees only the modified ACLs,
>so you can omit the second by-statement.
>
>On a second note, if you want check a "dn" it is always better to use
>dn.exact (usually that is what you want) (ok exact, or base, is the
>default, but I like to have my ACLs 100% clear)
>
>> ldap_add: Insufficient access (50)
>>      additional info: no write access to parent
>
>-- 
>Max-Born-Institut (MBI)/Max-Born-Straße 2A/12489 Berlin/Karsten Gorling
>Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
>E-Mail: [EMAIL PROTECTED] or [EMAIL PROTECTED]
>Instantmessenger: Jabber: [EMAIL PROTECTED] or ICQ: 95492828
>PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
>----------------- > encrypted E-Mail preferred <------------------------
>

RE: ACL Headaches

Reply via email to