Here is how my client is binding...
Base DN
o=Home,ou=AddressBooks,dc=Mycompany,dc=com
Bind DN
cn=Me,ou=Users,dc=MyCompany,dc=com
I am a member of the Home group
dn: o=Home,ou=Groups,dc=MyCompany,dc=com
objectclass: top
objectclass: groupOfNames
cn: Home
member: cn=Me,ou=Users,dc=MyCompany,dc=com
I wanted to send this out, to show you how I was binding witht the client...
I'll turn on the logging for ACL parsing like you suggested.
--On Thursday, July 31, 2008 9:11 AM -0400 "Chris G. Sellers"
<chris.sellers(a)nitle.org> wrote:
I think your ACLs are not allowing you to do what you want, but I
can't
say for sure without knowing how your client is binding to your
directory.
If you turn on openldap's logging for ACL parsing, you should see the
connection and if it was allowed or denied for the given bind.
( 128 (0x80 ACL) access control list processing
: see man slapd.conf for details under loglevel )
Give that a try, and then you should be able to relax or adjust your
ACLs to allow access.
I hope that helps
Sellers
On Jul 30, 2008, at 10:42 PM, david stackis wrote:
> Hi -
>
> First off, I want to apologize for posting to list when I really
> should
> have read more.
> Tonight I read all of Chapter 7.4 in the OpenLDAP Software 2.4 Admin
> Guide....and I'm still scratching my head wondering why this isn't
> working.
>
> Here's my structure...
> I have two Groups..."Home", and "Work"
> I have two Users..."Me", and "You" These users have passwords
>
> I can search my LDAP using the rootdn, and I'm able to add to each
> of the
> Group AddressBooks "Home", and "Group" using the rootdn. What I
> can't seem
> to do, is have user "Me" or "You" access any of the
AddressBooks.
>
> The user "Me" has access to "Home and "You" has access to
"Work"
> each have
> two different email addresses.
>
> Again...the rootdn can see everything in Thunderbird...but it's "Me"
> and
> "You" that seem to have no access/
> Could someone please point me in the right direction.
>
> I'm also using Apache Directory Studio, and I verified that the four
> entries I added...two being place in the "Home" AddressBook, and the
> other
> two in the "Work" AddressBook. The ACL's I'm using are below...and
> further
> down is my LDIF I used to create my structure.
>
> I've tried attrs=userPassword, and attr=userPassword...I've seen
> both of
> these examples used
>
> Thank you for any help.
>
> # ACL1
> access to attrs=userPassword
> by self write
> by anonymous auth
> # ACL2
> access to dn.regex="o=(.+),ou=AddressBooks,dc=MyCompany,dc=com"
> by group.expand="cn=$1,ou=Groups,dc=MyCompany,dc=com" write
> # ACL3
> access to dn.base="ou=AddressBooks,dc=MyCompany,dc=com" by * read
> access to dn.base="" by * read
> # ACL4
> access to dn.base="cn=Subschema" by * read
> # ACL5
> disallow bind_anon
>
> The LDIF I used...
> # Initialize the suffix entry defined in slapd.conf
> #
> dn: dc=MyCompany,dc=com
> objectclass: top
> objectclass: organization
> objectclass: dcObject
> dc: MyCompany
> o: cctr
>
> #
> # Initialize the AddressBooks heirarchy
> #
> dn: ou=AddressBooks,dc=MyCompany,dc=com
> objectclass: top
> objectclass: organizationalUnit
> ou: AddressBooks
>
> #
> # Define individual address books
> #
> dn: o=Home,ou=AddressBooks,dc=MyCompany,dc=com
> objectclass: top
> objectclass: organization
> o: Home
>
> dn: o=Work,ou=AddressBooks,dc=MyCompany,dc=com
> objectclass: top
> objectclass: organization
> o: Work
>
> #
> # Initialize the Users heirarchy
> #
> dn: ou=Users,dc=MyCompany,dc=com
> objectclass: top
> objectclass: organizationalUnit
> ou: Users
>
> #
> # Define individual users
> #
> dn: cn=Me,ou=Users,dc=MyCompany,dc=com
> objectclass: top
> objectclass: person
> cn: Me
> sn: My LastName
> userPassword: {crypt}XXXXXX
>
> dn: cn=You,ou=Users,dc=MyCompany,dc=com
> objectclass: top
> objectclass: person
> cn: You
> sn: You LastName
> userPassword: {crypt}XXXXXX
>
> #
> # Initialize the Groups heirarchy
> #
> dn: ou=Groups,dc=MyCompany,dc=com
> objectclass: top
> objectclass: organizationalUnit
> ou: Groups
>
> #
> # Group users into separate address books
> #
> dn: o=Home,ou=Groups,dc=MyCompany,dc=com
> objectclass: top
> objectclass: groupOfNames
> cn: Home
> member: cn=Me,ou=Users,dc=MyCompany,dc=com
>
> dn: o=Work,ou=Groups,dc=ucsb,dc=edu
> objectclass: top
> objectclass: groupOfNames
> cn: Work
> member: cn=You,ou=Users,dc=MyCompany,dc=com
>
>
> -------------------
> david stackis
>
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers | Internet Engineer | NITLE
734.661.2318 | chris.sellers(a)nitle.org
Jabber: csellers(a)nitle.org | AIM: imthewherd
-------------------
david stackis
uc santa barbara
phone: 805-893-8286
http://isc.ucsb.edu