Re: openLDAP, ApacheDS and ACL's

Wed, 02 Mar 2011 06:07:32 -0800 

On 3/2/11 2:27 PM, Juan José Aragonés wrote:

Hello

It's the first post I'm writing but I've reached this point
  reading a lot of the posts, so first of all I want to thank all of you
for such a great job.
OK, now to my problem:
I've created my LDAP
system for testing and it works fine. For an easier use I downloaded and
  installed ApacheDS (after having set up the entire system). I created
the connection and it works. Up to this point is great. Then I decided
to add some ACL's to my slapd.conf.


Hmmm... ApacheDS does not have a slapd.conf file. This is an OpenLDAP file.
Aren't you confusing Apache Directory Studio (aka Studio, the RCP tool) with Apache Directory Server (aka ApacheDS) 
In the beggining I had the simple one:

  access to *
     by * read

This one worked fine: can log in with any user and read the whole tree. So I 
#commented this one and tried another one:

access to dn.subtree="ou=Bahamas,ou=Users,dc=test,dc=com"
    by dn.exact="cn=Ken Roberts,ou=Bahamas,ou=Users,dc=test,dc=com" write

It's
  meant to allow Ken Roberts to modify, add or delete entries but only
under "ou=Bahamas,ou=Users,dc=test,dc=com" (hope this is correct). But
when I try to log in as "cn=Ken Roberts
,ou=Bahamas,ou=Users,dc=test,dc=com" in ApacheDS I can't (Error message:
  Invalid credentials). It only let's me log in as
"cn=Manager,dc=test,dc=com" (set in in slapd.conf as the root DN).
I decided to try wiht another ACL:

access to *
    by dn.children="ou=Admin,ou=Users,dc=test,dc=com" write

It's
  meant to allow all users under "ou=Admin,ou=Users,dc=test,dc=com" to
modify, add or delete entries anywhere in the tree. But the same
happens: wehn I try to log in as "cn=MR
Administrator,ou=Admin,ou=Users,dc=test,dc=com" in ApacheDS I can't
(same error as above). Can only log in as "cn=Manager,dc=test,dc=com".

I have no idea about what to do so, if anyone can help me with this I'd be 
really grateful.
So far, assuming that you are using Studio + OpenLDAP, all the issues you have are really related to OpenLDAP configuration, not to Studio. Studio has no idea about OpenLDAP ACI handling, whatsoever.
I'll suggest you setup the log level in OpenLDAP to get some more information about the ACI and how they are managed. 

Otherwise, you can also post to the OpenLDAP mailing list.


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Reply via email to