hi folks
I have the following ACL for my groups:
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read by dn.regex="cn=admin,dc=graylion,dc=net" write by users none
# allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
# ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=children by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
the LDIF of one of my groups is:
dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net cn: GraylionEnterprises gidNumber: 7 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: ... objectClass: top objectClass: posixGroup
and the log shows this error:
Mar 15 17:20:27 diskslave slapd[6657]: => bdb_entry_get: found entry: "cn=graylionenterprises,ou=groups,dc=graylion,dc=net" Mar 15 17:20:27 diskslave slapd[6657]: <= bdb_entry_get: failed to find objectClass
while eGW shoes this error:
Error saving the contact !!! Insufficient access: so_ldap: 503
what is wrong? Anybody have any ideas?
cheers
Bernhard
PS: this works for personal address books
Bernhard D Rohrer graylion@sm-wg.net writes:
hi folks
I have the following ACL for my groups:
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read by dn.regex="cn=admin,dc=graylion,dc=net" write by users none
# allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
# ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=children by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
the LDIF of one of my groups is:
dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net cn: GraylionEnterprises gidNumber: 7 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: ... objectClass: top objectClass: posixGroup
and the log shows this error:
Mar 15 17:20:27 diskslave slapd[6657]: => bdb_entry_get: found entry: "cn=graylionenterprises,ou=groups,dc=graylion,dc=net" Mar 15 17:20:27 diskslave slapd[6657]: <= bdb_entry_get: failed to find objectClass
See man slapd.access(5), the dn style group expects objectclass groupOfnames as default. if you use other object classes, you have to define these, something like 'by group/posixgroup/memberUid' If you use posixgroup it might be necessary to map the memberUid attribute value to a dn.
-Dieter
On Friday 16 March 2007, Bernhard D Rohrer wrote:
hi folks
I have the following ACL for my groups:
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read by dn.regex="cn=admin,dc=graylion,dc=net" write by users none
# allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
# ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=children by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
the LDIF of one of my groups is:
dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net cn: GraylionEnterprises gidNumber: 7 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: ... objectClass: top objectClass: posixGroup
and the log shows this error:
Mar 15 17:20:27 diskslave slapd[6657]: => bdb_entry_get: found entry: "cn=graylionenterprises,ou=groups,dc=graylion,dc=net" Mar 15 17:20:27 diskslave slapd[6657]: <= bdb_entry_get: failed to find objectClass
while eGW shoes this error:
Error saving the contact !!! Insufficient access: so_ldap: 503
what is wrong? Anybody have any ideas?
You can't use a posixGroup (where the member attribute values are non-DN-valued) for ACLs without sets.
Either use a groupOfNames with member attribute (which contains the dn of the member, not the uid), or use sets (I believe there is an example on the FAQ-o-matic).
Regards, Buchan
openldap-software@openldap.org
-
Bernhard D Rohrer -
Buchan Milne -
Dieter Kluenter