I'm attempting to grant permission to a user account object in my OpenLDAP directory to write to an OU and I can't yet figure out the proper ACL to use. If I grant write access to everybody on everything it works, but with the following configuration it does not.
I'm using OpenLDAP 2.3.34 on CentOS 4.5.
I'm using the following ACLs:
access to attrs=userPassword by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read by dn.exact="cn=Manager,dc=example,dc=org" write by self write by anonymous auth by * none access to dn="ou=printers,dc=example,dc=org" by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write by dn.exact="cn=manager,dc=example,dc=org" write by * read access to * by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read by self write by * read
I'm trying to give write permission to the cupsd object:
uid=cupsd,ou=people,dc=example,dc=org
I can authenticate using ldapsearch, but I'm unable to add any objects to this OU (confirming read, authenticated access), getting the following results:
$ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D "uid=cupsd,ou=people,dc=example,dc=org" -W Enter LDAP Password: adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org" ldap_add: Insufficient access (50) additional info: no write access to entry
A verbose log indicates the following:
conn=2 op=3 MOD dn="cn=<printer IP>,ou=printers,dc=example,dc=org" conn=2 op=3 MOD attr=cn printerDescription printerURI printerLocation printerMakeAndModel printerType objectClass bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get found entry "cn=<printer IP>,ou=printers,dc=example,dc=org" bdb_entry_get rc=0 => bdb_entry_get ndn "cn=default,ou=policies,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=default,ou=policies,dc=example,dc=org") => bdb_entry_get found entry "cn=default,ou=policies,dc=example,dc=org" bdb_entry_get rc=0 => bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get found entry "cn=<printer IP>,ou=printers,dc=example,dc=org" bdb_entry_get rc=0 bdb_modify cn=<printer IP>,ou=printers,dc=example,dc=org bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") bdb_modify_internal 0x00000096 cn=<printer IP>,ou=printers,dc=example,dc=org => access_allowed delete access to "cn=<printer IP>,ou=printers,dc=example,dc=org" "cn" requested => dn [2] ou=printers,dc=example,dc=org => acl_get [3] attr cn access_allowed no res from state (cn) => acl_mask access to entry "cn=<printer IP>,ou=printers,dc=example,dc=org", attr "cn" requested => acl_mask to all values by "uid=cupsd,ou=people,dc=example,dc=org", (=0) <= check a_dn_pat uid=replicator,ou=people,dc=example,dc=org <= check a_dn_pat self <= check a_dn_pat * <= acl_mask [3] applying read(=rscxd) (stop) <= acl_mask [3] mask read(=rscxd) => access_allowed delete access denied by read(=rscxd) bdb_modify modify failed (50)
So it looks like a read ACL is preventing the write. What would be the proper way to write the ACLs for this task?
TIA,
Joshua M. Miller writes:
$ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D "uid=cupsd,ou=people,dc=example,dc=org" -W Enter LDAP Password: adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org" ldap_add: Insufficient access (50) additional info: no write access to entry
See man slapd.access: The add operation requires write (=w) privileges on the pseudo- attribute entry of the entry being added, and write (=w) privileges on the pseudo-attribute children of the entry's parent. When adding the suffix entry of a database, write access to children of the empty DN ("") is required.
Your statement access to dn="ou=printers,dc=example,dc=org" by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write (...)
grants write access to the "children" pseudo-attribute of the parent (as well as to the rest of the parent). To to grant access to the actual entries you add, use dn.subtree= instead of dn=. Or maybe another access statement with something more restrictive, i.e. with dn.children.
Hallvard,
Thank you! That worked great (dn.subtree). I had thought I had fixed it but the state data in my client application had not refreshed properly.
Thanks, -- Joshua M. Miller - RHCE,VCP
Hallvard B Furuseth wrote:
Joshua M. Miller writes:
$ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D "uid=cupsd,ou=people,dc=example,dc=org" -W Enter LDAP Password: adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org" ldap_add: Insufficient access (50) additional info: no write access to entry
See man slapd.access: The add operation requires write (=w) privileges on the pseudo- attribute entry of the entry being added, and write (=w) privileges on the pseudo-attribute children of the entry's parent. When adding the suffix entry of a database, write access to children of the empty DN ("") is required.
Your statement access to dn="ou=printers,dc=example,dc=org" by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write (...)
grants write access to the "children" pseudo-attribute of the parent (as well as to the rest of the parent). To to grant access to the actual entries you add, use dn.subtree= instead of dn=. Or maybe another access statement with something more restrictive, i.e. with dn.children.
This has been resolved, I must not have performed a proper restart, but the ACLs work.
Thanks, -- Joshua M. Miller - RHCE,VCP
Joshua M. Miller wrote:
I'm attempting to grant permission to a user account object in my OpenLDAP directory to write to an OU and I can't yet figure out the proper ACL to use. If I grant write access to everybody on everything it works, but with the following configuration it does not.
I'm using OpenLDAP 2.3.34 on CentOS 4.5.
I'm using the following ACLs:
access to attrs=userPassword by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read by dn.exact="cn=Manager,dc=example,dc=org" write by self write by anonymous auth by * none access to dn="ou=printers,dc=example,dc=org" by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write by dn.exact="cn=manager,dc=example,dc=org" write by * read access to * by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read by self write by * read
I'm trying to give write permission to the cupsd object:
uid=cupsd,ou=people,dc=example,dc=org
I can authenticate using ldapsearch, but I'm unable to add any objects to this OU (confirming read, authenticated access), getting the following results:
$ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D "uid=cupsd,ou=people,dc=example,dc=org" -W Enter LDAP Password: adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org" ldap_add: Insufficient access (50) additional info: no write access to entry
A verbose log indicates the following:
conn=2 op=3 MOD dn="cn=<printer IP>,ou=printers,dc=example,dc=org" conn=2 op=3 MOD attr=cn printerDescription printerURI printerLocation printerMakeAndModel printerType objectClass bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get found entry "cn=<printer IP>,ou=printers,dc=example,dc=org" bdb_entry_get rc=0 => bdb_entry_get ndn "cn=default,ou=policies,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=default,ou=policies,dc=example,dc=org") => bdb_entry_get found entry "cn=default,ou=policies,dc=example,dc=org" bdb_entry_get rc=0 => bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get found entry "cn=<printer IP>,ou=printers,dc=example,dc=org" bdb_entry_get rc=0 bdb_modify cn=<printer IP>,ou=printers,dc=example,dc=org bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") bdb_modify_internal 0x00000096 cn=<printer IP>,ou=printers,dc=example,dc=org => access_allowed delete access to "cn=<printer IP>,ou=printers,dc=example,dc=org" "cn" requested => dn [2] ou=printers,dc=example,dc=org => acl_get [3] attr cn access_allowed no res from state (cn) => acl_mask access to entry "cn=<printer IP>,ou=printers,dc=example,dc=org", attr "cn" requested => acl_mask to all values by "uid=cupsd,ou=people,dc=example,dc=org", (=0) <= check a_dn_pat uid=replicator,ou=people,dc=example,dc=org <= check a_dn_pat self <= check a_dn_pat * <= acl_mask [3] applying read(=rscxd) (stop) <= acl_mask [3] mask read(=rscxd) => access_allowed delete access denied by read(=rscxd) bdb_modify modify failed (50)
So it looks like a read ACL is preventing the write. What would be the proper way to write the ACLs for this task?
TIA,
openldap-software@openldap.org
-
Hallvard B Furuseth -
Joshua M. Miller