I went thru slapd.access and slapacl manuals, read the FAQ but I'm stuck. I cannot give some user privilege to write to some parts of my LDAP tree.
LDIF export of the relevant parts of my tree: ---------------------------- # Exportação LDIF para: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy # Servidor: ldap sub.domain.xyz.xy (127.0.0.1) # Abrangência da Busca: sub # Filtro de Busca: (objectClass=*) # Total de objetos: 1
dn: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: Administrador LDAP
# Exportação LDIF para: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy # Servidor: ldap sub.domain.xyz.xy (127.0.0.1) # Abrangência da Busca: base # Filtro de Busca: (objectClass=*) # Total de objetos: 1
dn: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy ou: moodleusers objectClass: organizationalUnit objectClass: top
# Exportação LDIF para: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy # Servidor: ldap sub.domain.xyz.xy (127.0.0.1) # Abrangência da Busca: sub # Filtro de Busca: (objectClass=*) # Total de objetos: 1
dn: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy uid: usuariomoodle-admin userPassword: ... objectClass: account objectClass: simpleSecurityObject objectClass: top ----------------------------
and now slapd.conf:
---------------------------- # 1 access to dn.base="cn=Subschema" by * read
# 2 access to attrs=userPKCS12 by self write by * auth
# 3 access to attrs=shadowLastChange by self write by * read
# 4 access to attrs=userPassword by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by anonymous auth by self write by * none
# 5 access to dn.base="" by * read
# 6 access to * by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by * read
# 7 access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy" by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
# Previous tries
#access to dn.subtree="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy" # by dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
#access to dn.children="dc=sub,dc=domain,dc=xyz,dc=xy" # by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
#access to * (!) # by dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
suffix "dc=sub,dc=domain,dc=xyz,dc=xy"
rootdn "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" rootpw ... ----------------------------
I also tried to set usuariomoodle-admin permissions to "=mwrscxd" since it's the exact output from slapacl for "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy". Following the acl's in that order I can't find where, if it exists, an acl breaks my acl number 7. I used phpldapadmin, logged as usuariomoodle-admin, could not create child objects, neither modify existing ones. Using the external application (that this acl refers to) to try to write on the ldap tree didn't work. Finally slapacl showed just "rscxd" as the permissions for that user, despite the fact that I set write permission on the slapd.conf for that resource/that user.
What's wrong?
thanks,
lauro
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.