I went thru slapd.access and slapacl manuals, read the FAQ but I'm stuck.
I cannot give some user privilege to write to some parts of my LDAP tree.
LDIF export of the relevant parts of my tree:
----------------------------
# Exportação LDIF para: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy
# Servidor: ldap sub.domain.xyz.xy (127.0.0.1)
# Abrangência da Busca: sub
# Filtro de Busca: (objectClass=*)
# Total de objetos: 1
dn: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: Administrador LDAP
# Exportação LDIF para: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy
# Servidor: ldap sub.domain.xyz.xy (127.0.0.1)
# Abrangência da Busca: base
# Filtro de Busca: (objectClass=*)
# Total de objetos: 1
dn: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy
ou: moodleusers
objectClass: organizationalUnit
objectClass: top
# Exportação LDIF para: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy
# Servidor: ldap sub.domain.xyz.xy (127.0.0.1)
# Abrangência da Busca: sub
# Filtro de Busca: (objectClass=*)
# Total de objetos: 1
dn: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy
uid: usuariomoodle-admin
userPassword: ...
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
----------------------------
and now slapd.conf:
----------------------------
# 1
access to dn.base="cn=Subschema"
by * read
# 2
access to attrs=userPKCS12
by self write
by * auth
# 3
access to attrs=shadowLastChange
by self write
by * read
# 4
access to attrs=userPassword
by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
by anonymous auth
by self write
by * none
# 5
access to dn.base=""
by * read
# 6
access to *
by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
by * read
# 7
access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy"
by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
# Previous tries
#access to dn.subtree="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy"
# by
dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
#access to dn.children="dc=sub,dc=domain,dc=xyz,dc=xy"
# by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
#access to * (!)
# by
dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
suffix "dc=sub,dc=domain,dc=xyz,dc=xy"
rootdn "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy"
rootpw ...
----------------------------
I also tried to set usuariomoodle-admin permissions to "=mwrscxd"
since it's the exact output from slapacl for
"cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy". Following the acl's in that
order I can't find where, if it exists, an acl breaks my acl number 7.
I used phpldapadmin, logged as usuariomoodle-admin, could not
create child objects, neither modify existing ones. Using the external
application (that this acl refers to) to try to write on the ldap tree
didn't work. Finally slapacl showed just "rscxd" as the permissions
for that user, despite the fact that I set write permission on the
slapd.conf for that resource/that user.
What's wrong?
thanks,
lauro
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.