Dear list,
Please see below my LDAP structure
base DN ---> *dc=suse,dc=ldap virtual domain ---> **virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap* *user DN -->**ou=users,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap group DN --> **ou=groups,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap **contacts DN --->** ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap personal contacts -->**ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap
here is my ACL to read and write personal addressbook. the read ACL is working here but the write ACL is not working.
*################ personal ACL ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none #################################################
the log reports ****tag=105 err=50 text=no write access to parent********** could any one suggest how to solve the problem ? thanks
JOYDEEP j.bakshi@unlimitedmail.org writes:
Dear list,
Please see below my LDAP structure
[...]
*################ personal ACL ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none #################################################
the log reports ****tag=105 err=50 text=no write access to parent********** could any one suggest how to solve the problem ? thanks
Allow access to the pseudo attributs entry and children of the parent.
access to dn.regex=^ou=personal,ou=contacts,ou=contactsvirtualDomain..... attrs=entry,children,@someObjectClass by ...
-Dieter
Dieter Kluenter wrote:
JOYDEEP j.bakshi@unlimitedmail.org writes:
Dear list,
Please see below my LDAP structure
[...]
*################ personal ACL ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none #################################################
the log reports ****tag=105 err=50 text=no write access to parent********** could any one suggest how to solve the problem ? thanks
Allow access to the pseudo attributs entry and children of the parent.
access to dn.regex=^ou=personal,ou=contacts,ou=contactsvirtualDomain..... attrs=entry,children,@someObjectClass by ...
-Dieter
Thanks Dieter for your response,
I have modified the ACL according to your suggestion and it is
access to dn.regex="^ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
attrs=entry,children,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none
but still I have the same problem and the log reports as
conn=40 op=2 ADD dn="uid=d61af5515669698f52734f247c0f68ae,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:00:53 lvps87-230-8-228 slapd[14106]: conn=40 op=2 RESULT tag=105 err=50 text=no write access to parent
Please help me to solve it. thanks a lot for your help
<quote who="JOYDEEP">
Dieter Kluenter wrote:
JOYDEEP j.bakshi@unlimitedmail.org writes:
Dear list,
Please see below my LDAP structure
[...]
*################ personal ACL ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none #################################################
the log reports ****tag=105 err=50 text=no write access to parent********** could any one suggest how to solve the problem ? thanks
Allow access to the pseudo attributs entry and children of the parent.
access to dn.regex=^ou=personal,ou=contacts,ou=contactsvirtualDomain..... attrs=entry,children,@someObjectClass by ...
-Dieter
Thanks Dieter for your response,
I have modified the ACL according to your suggestion and it is
access to dn.regex="^ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
attrs=entry,children,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none
but still I have the same problem and the log reports as
conn=40 op=2 ADD dn="uid=d61af5515669698f52734f247c0f68ae,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:00:53 lvps87-230-8-228 slapd[14106]: conn=40 op=2 RESULT tag=105 err=50 text=no write access to parent
Please help me to solve it. thanks a lot for your help
In the above, there are only one set of (), so your domain is going inside $1, and nothing is saved in $2.
I would put it back to (still using the new attrs section by Dieter):
dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$"
attrs=entry,children,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none
Gavin Henry wrote:
<quote who="JOYDEEP">
Dieter Kluenter wrote:
JOYDEEP j.bakshi@unlimitedmail.org writes:
Dear list,
Please see below my LDAP structure
[...]
*################ personal ACL ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none #################################################
the log reports ****tag=105 err=50 text=no write access to parent********** could any one suggest how to solve the problem ? thanks
Allow access to the pseudo attributs entry and children of the parent.
access to dn.regex=^ou=personal,ou=contacts,ou=contactsvirtualDomain..... attrs=entry,children,@someObjectClass by ...
-Dieter
Thanks Dieter for your response,
I have modified the ACL according to your suggestion and it is
access to dn.regex="^ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
attrs=entry,children,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none
but still I have the same problem and the log reports as
conn=40 op=2 ADD dn="uid=d61af5515669698f52734f247c0f68ae,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:00:53 lvps87-230-8-228 slapd[14106]: conn=40 op=2 RESULT tag=105 err=50 text=no write access to parent
Please help me to solve it. thanks a lot for your help
In the above, there are only one set of (), so your domain is going inside $1, and nothing is saved in $2.
I would put it back to (still using the new attrs section by Dieter):
dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$"
attrs=entry,children,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none
Hi Gavin, I have modified the ACL au u suggest
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
attr=entry,children,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none
but still I have
Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 ADD dn="uid=cf594fcd2bace89814a3a2a62e6f9f91,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 RESULT tag=105 err=50 text=no write access to parent
I'v also tried with dn.regex="^cn=([^,]+),ou=personal,ou....................... but with the same efect
JOYDEEP j.bakshi@unlimitedmail.org writes:
Gavin Henry wrote:
<quote who="JOYDEEP">
Dieter Kluenter wrote:
Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 ADD dn="uid=cf594fcd2bace89814a3a2a62e6f9f91,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 RESULT tag=105 err=50 text=no write access to parent
I'v also tried with dn.regex="^cn=([^,]+),ou=personal,ou....................... but with the same efect
Please set loglevel to ACL and check which access rule matches first.
-Dieter
Dieter Kluenter wrote:
JOYDEEP j.bakshi@unlimitedmail.org writes:
Gavin Henry wrote:
<quote who="JOYDEEP">
Dieter Kluenter wrote:
Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 ADD dn="uid=cf594fcd2bace89814a3a2a62e6f9f91,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 RESULT tag=105 err=50 text=no write access to parent
I'v also tried with dn.regex="^cn=([^,]+),ou=personal,ou....................... but with the same efect
Please set loglevel to ACL and check which access rule matches first.
-Dieter
OK Dieter, I have set loglevel 128
The ACL I have for read and write are
################ personal ACL ####################### ###################### read ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none ######################## write ############################ access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap"
attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by users none
now If I try to add in addressbook it gives errors as ---------------------------------------------------------------
Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: access to entry "cn=admin,ou=personal,ou=contacts,o u=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap", attr "children" requested Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: to all values by "uid=admin,ou=users,virtualDomain= kolkata.opendingo.com,dc=suse,dc=ldap", (=n) Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= check a_dn_pat: uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=l dap Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] applying read(=rscx) (stop) Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] mask: read(=rscx) Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write access denied by read(=rscx) ---------------------------------------------------------------------------------------------------------
if I disable the read ACL then I have no problem to save the contact.
Hi,
JOYDEEP j.bakshi@unlimitedmail.org writes:
Dieter Kluenter wrote:
JOYDEEP j.bakshi@unlimitedmail.org writes:
Gavin Henry wrote:
<quote who="JOYDEEP">
Dieter Kluenter wrote:
Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 ADD dn="uid=cf594fcd2bace89814a3a2a62e6f9f91,cn=bisu,ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap" Jul 9 08:56:27 lvps87-230-8-228 slapd[30315]: conn=4 op=2 RESULT tag=105 err=50 text=no write access to parent
I'v also tried with dn.regex="^cn=([^,]+),ou=personal,ou....................... but with the same efect
Please set loglevel to ACL and check which access rule matches first.
-Dieter
OK Dieter, I have set loglevel 128
The ACL I have for read and write are
################ personal ACL ####################### ###################### read ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none ######################## write ############################ access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap"
attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by users none
now If I try to add in addressbook it gives errors as
Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: access to entry "cn=admin,ou=personal,ou=contacts,o u=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap", attr "children" requested Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => acl_mask: to all values by "uid=admin,ou=users,virtualDomain= kolkata.opendingo.com,dc=suse,dc=ldap", (=n) Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= check a_dn_pat: uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=l dap Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] applying read(=rscx) (stop) Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: <= acl_mask: [1] mask: read(=rscx) Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write access denied by read(=rscx)
From the log one can see that the first access rule is applied and no
further checking is done. Please put your access rules in the correct order.
-Dieter
openldap-software@openldap.org
-
Dieter Kluenter -
Gavin Henry -
JOYDEEP