Hi -
First off, I want to apologize for posting to list when I really should have read more. Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin Guide....and I'm still scratching my head wondering why this isn't working.
Here's my structure... I have two Groups..."Home", and "Work" I have two Users..."Me", and "You" These users have passwords
I can search my LDAP using the rootdn, and I'm able to add to each of the Group AddressBooks "Home", and "Group" using the rootdn. What I can't seem to do, is have user "Me" or "You" access any of the AddressBooks.
The user "Me" has access to "Home and "You" has access to "Work" each have two different email addresses.
Again...the rootdn can see everything in Thunderbird...but it's "Me" and "You" that seem to have no access/ Could someone please point me in the right direction.
I'm also using Apache Directory Studio, and I verified that the four entries I added...two being place in the "Home" AddressBook, and the other two in the "Work" AddressBook. The ACL's I'm using are below...and further down is my LDIF I used to create my structure.
I've tried attrs=userPassword, and attr=userPassword...I've seen both of these examples used
Thank you for any help.
# ACL1 access to attrs=userPassword by self write by anonymous auth # ACL2 access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com" by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write # ACL3 access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read access to dn.base="" by * read # ACL4 access to dn.base="cn=Subschema" by * read # ACL5 disallow bind_anon
The LDIF I used... # Initialize the suffix entry defined in slapd.conf # dn: dc=MyCompany,dc=com objectclass: top objectclass: organization objectclass: dcObject dc: MyCompany o: cctr
# # Initialize the AddressBooks heirarchy # dn: ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: AddressBooks
# # Define individual address books # dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organization o: Home
dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organization o: Work
# # Initialize the Users heirarchy # dn: ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: Users
# # Define individual users # dn: cn=Me,ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: person cn: Me sn: My LastName userPassword: {crypt}XXXXXX
dn: cn=You,ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: person cn: You sn: You LastName userPassword: {crypt}XXXXXX
# # Initialize the Groups heirarchy # dn: ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: Groups
# # Group users into separate address books # dn: o=Home,ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: groupOfNames cn: Home member: cn=Me,ou=Users,dc=MyCompany,dc=com
dn: o=Work,ou=Groups,dc=ucsb,dc=edu objectclass: top objectclass: groupOfNames cn: Work member: cn=You,ou=Users,dc=MyCompany,dc=com
------------------- david stackis
I think your ACLs are not allowing you to do what you want, but I can't say for sure without knowing how your client is binding to your directory.
If you turn on openldap's logging for ACL parsing, you should see the connection and if it was allowed or denied for the given bind.
( 128 (0x80 ACL) access control list processing : see man slapd.conf for details under loglevel )
Give that a try, and then you should be able to relax or adjust your ACLs to allow access.
I hope that helps Sellers
On Jul 30, 2008, at 10:42 PM, david stackis wrote:
Hi -
First off, I want to apologize for posting to list when I really should have read more. Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin Guide....and I'm still scratching my head wondering why this isn't working.
Here's my structure... I have two Groups..."Home", and "Work" I have two Users..."Me", and "You" These users have passwords
I can search my LDAP using the rootdn, and I'm able to add to each of the Group AddressBooks "Home", and "Group" using the rootdn. What I can't seem to do, is have user "Me" or "You" access any of the AddressBooks.
The user "Me" has access to "Home and "You" has access to "Work" each have two different email addresses.
Again...the rootdn can see everything in Thunderbird...but it's "Me" and "You" that seem to have no access/ Could someone please point me in the right direction.
I'm also using Apache Directory Studio, and I verified that the four entries I added...two being place in the "Home" AddressBook, and the other two in the "Work" AddressBook. The ACL's I'm using are below...and further down is my LDIF I used to create my structure.
I've tried attrs=userPassword, and attr=userPassword...I've seen both of these examples used
Thank you for any help.
# ACL1 access to attrs=userPassword by self write by anonymous auth # ACL2 access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com" by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write # ACL3 access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read access to dn.base="" by * read # ACL4 access to dn.base="cn=Subschema" by * read # ACL5 disallow bind_anon
The LDIF I used... # Initialize the suffix entry defined in slapd.conf # dn: dc=MyCompany,dc=com objectclass: top objectclass: organization objectclass: dcObject dc: MyCompany o: cctr
# # Initialize the AddressBooks heirarchy # dn: ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: AddressBooks
# # Define individual address books # dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organization o: Home
dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organization o: Work
# # Initialize the Users heirarchy # dn: ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: Users
# # Define individual users # dn: cn=Me,ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: person cn: Me sn: My LastName userPassword: {crypt}XXXXXX
dn: cn=You,ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: person cn: You sn: You LastName userPassword: {crypt}XXXXXX
# # Initialize the Groups heirarchy # dn: ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: Groups
# # Group users into separate address books # dn: o=Home,ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: groupOfNames cn: Home member: cn=Me,ou=Users,dc=MyCompany,dc=com
dn: o=Work,ou=Groups,dc=ucsb,dc=edu objectclass: top objectclass: groupOfNames cn: Work member: cn=You,ou=Users,dc=MyCompany,dc=com
david stackis
++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd
Here is how my client is binding...
Base DN o=Home,ou=AddressBooks,dc=Mycompany,dc=com
Bind DN cn=Me,ou=Users,dc=MyCompany,dc=com
I am a member of the Home group dn: o=Home,ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: groupOfNames cn: Home member: cn=Me,ou=Users,dc=MyCompany,dc=com
I wanted to send this out, to show you how I was binding witht the client... I'll turn on the logging for ACL parsing like you suggested.
--On Thursday, July 31, 2008 9:11 AM -0400 "Chris G. Sellers" chris.sellers@nitle.org wrote:
I think your ACLs are not allowing you to do what you want, but I can't say for sure without knowing how your client is binding to your directory.
If you turn on openldap's logging for ACL parsing, you should see the connection and if it was allowed or denied for the given bind.
( 128 (0x80 ACL) access control list processing : see man slapd.conf for details under loglevel )
Give that a try, and then you should be able to relax or adjust your ACLs to allow access.
I hope that helps Sellers
On Jul 30, 2008, at 10:42 PM, david stackis wrote:
Hi -
First off, I want to apologize for posting to list when I really should have read more. Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin Guide....and I'm still scratching my head wondering why this isn't working.
Here's my structure... I have two Groups..."Home", and "Work" I have two Users..."Me", and "You" These users have passwords
I can search my LDAP using the rootdn, and I'm able to add to each of the Group AddressBooks "Home", and "Group" using the rootdn. What I can't seem to do, is have user "Me" or "You" access any of the AddressBooks.
The user "Me" has access to "Home and "You" has access to "Work" each have two different email addresses.
Again...the rootdn can see everything in Thunderbird...but it's "Me" and "You" that seem to have no access/ Could someone please point me in the right direction.
I'm also using Apache Directory Studio, and I verified that the four entries I added...two being place in the "Home" AddressBook, and the other two in the "Work" AddressBook. The ACL's I'm using are below...and further down is my LDIF I used to create my structure.
I've tried attrs=userPassword, and attr=userPassword...I've seen both of these examples used
Thank you for any help.
# ACL1 access to attrs=userPassword by self write by anonymous auth # ACL2 access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com" by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write # ACL3 access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read access to dn.base="" by * read # ACL4 access to dn.base="cn=Subschema" by * read # ACL5 disallow bind_anon
The LDIF I used... # Initialize the suffix entry defined in slapd.conf # dn: dc=MyCompany,dc=com objectclass: top objectclass: organization objectclass: dcObject dc: MyCompany o: cctr
# # Initialize the AddressBooks heirarchy # dn: ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: AddressBooks
# # Define individual address books # dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organization o: Home
dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com objectclass: top objectclass: organization o: Work
# # Initialize the Users heirarchy # dn: ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: Users
# # Define individual users # dn: cn=Me,ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: person cn: Me sn: My LastName userPassword: {crypt}XXXXXX
dn: cn=You,ou=Users,dc=MyCompany,dc=com objectclass: top objectclass: person cn: You sn: You LastName userPassword: {crypt}XXXXXX
# # Initialize the Groups heirarchy # dn: ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: organizationalUnit ou: Groups
# # Group users into separate address books # dn: o=Home,ou=Groups,dc=MyCompany,dc=com objectclass: top objectclass: groupOfNames cn: Home member: cn=Me,ou=Users,dc=MyCompany,dc=com
dn: o=Work,ou=Groups,dc=ucsb,dc=edu objectclass: top objectclass: groupOfNames cn: Work member: cn=You,ou=Users,dc=MyCompany,dc=com
david stackis
++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers@nitle.org Jabber: csellers@nitle.org | AIM: imthewherd
------------------- david stackis uc santa barbara phone: 805-893-8286 http://isc.ucsb.edu
openldap-software@openldap.org
-
Chris G. Sellers -
david stackis