Hi everyone,
I'm facing an ACL problem for a long time, and I got to the point that I'm
out of ideas. The problem is related to write in a specific branch of DIT.
My DIT has the following hierachy
dc=spi,dc=net
-> c=cl
-->ou=users
--->ou=regular
--->ou=admin
The ACL should allow the users under the admin subtree to write in the
regular subtree (admin and regular users model).
SO, I have the following ACL includes in slapd.conf:
include /etc/ldap/acls/acl.conf.default
include /etc/ldap/acls/acl.conf
The ACL files have the following lines:
# /etc/ldap/acls/acl.conf.default
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=spi,dc=net" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=spi,dc=net" write
by * read
# /etc/ldap/acls/acl.conf
access to dn.children="ou=regular,ou=users,c=cl,dc=spi,dc=net"
attrs="children"
by dn.sub="ou=admins,ou=users,c=cl,dc=spi,dc=net" manage
by * read
So, I created an user under the admin subtree with the following DN:
uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net
To test, I'm trying to add an user with the following LDIF file:
# Teste
description: Test
dn: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: spi # Customized class
cn: Teste
sn: teste
givenName: Teste
uid: teste
url: http://mysite.com
mail: [email protected]
l: City
TimeZone: GMT-4
area: Gov
st: State
organization: Organization
o: SPI
preferredLanguage: en-US
However, when I try to add the user (ldapadd -x -D
"uid=cl-admin,ou=admins,ou=usuarios,c=cl,dc=spi,dc=net" -W -f /tmp/test.ldif
I get the following error:
ldap_add: Insufficient access (50)
additional info: no write access to parent
The debug output log for ACL's show me the following sequence of
information:
Nov 3 12:00:47 nodo108 slapd[16629]: hdb_referrals: tag=104
target="uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net"
matched="ou=regular,ou=users,c=cl,dc=spi,dc=net"
Nov 3 12:00:47 nodo108 slapd[16629]: ==> hdb_add:
uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_required entry
(uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net), objectClass "spi"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "objectClass"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "cn"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "sn"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "givenName"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "uid"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "url"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "mail"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "l"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "timeZone"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "area"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "st"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "organization"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "o"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type
"preferredLanguage"
Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type
"structuralObjectClass"
Nov 3 12:00:47 nodo108 slapd[16629]: slap_queue_csn: queing 0xb6603a32
20101103140047.629760Z#000000#000#000000
Nov 3 12:00:47 nodo108 slapd[16629]:
bdb_dn2entry("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net")
Nov 3 12:00:47 nodo108 slapd[16629]: =>
hdb_dn2id("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net")
Nov 3 12:00:47 nodo108 slapd[16629]: <= hdb_dn2id: get failed: DB_NOTFOUND:
No matching key/data pair found (-30990)
Nov 3 12:00:47 nodo108 slapd[16629]: => access_allowed: add access to
"ou=regular,ou=users,c=cl,dc=spi,dc=net" "children" requested
Nov 3 12:00:47 nodo108 slapd[16629]: => dn: [1]
ou=regular,ou=users,c=cl,dc=spi,dc=net
Nov 3 12:00:47 nodo108 slapd[16629]: => dn: [3]
Nov 3 12:00:47 nodo108 slapd[16629]: => acl_get: [4] attr children
Nov 3 12:00:47 nodo108 slapd[16629]: => acl_mask: access to entry
"ou=regular,ou=users,c=cl,dc=spi,dc=net", attr "children" requested
Nov 3 12:00:47 nodo108 slapd[16629]: => acl_mask: to all values by
"uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net", (=0)
Nov 3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat:
cn=admin,dc=spi,dc=net
Nov 3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: *
Nov 3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] applying read(=rscxd)
(stop)
Nov 3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] mask: read(=rscxd)
Nov 3 12:00:47 nodo108 slapd[16629]: => slap_access_allowed: add access
denied by read(=rscxd)
Nov 3 12:00:47 nodo108 slapd[16629]: => access_allowed: no more rules
Nov 3 12:00:47 nodo108 slapd[16629]: hdb_add: no write access to parent
Nov 3 12:00:47 nodo108 slapd[16629]: send_ldap_result: conn=26 op=1 p=3
Nov 3 12:00:47 nodo108 slapd[16629]: send_ldap_result: err=50 matched=""
text="no write access to parent"
Nov 3 12:00:47 nodo108 slapd[16629]: send_ldap_response: msgid=2 tag=105
err=50
Nov 3 12:00:47 nodo108 slapd[16629]: conn=26 op=1 RESULT tag=105 err=50
text=no write access to parent
I tried a lot of different solutions, but nothing seels to work. Anybody
have a clue about how to fix it?
--
Eduardo Santos
Analista de Sistemas
http://eduardosan.wordpress.com
http://twitter.com/eduardosan
