I would like to allow a user to edit everything in a given subtree.
For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389) conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128 conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0 conn=5 op=0 RESULT tag=97 err=0 text= conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com" conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by dn="uid=Operator,ou=Users,dc=example,dc=com" read
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com" ...
But then I'm not even able to connect.
Have you put your "access" block AFTER your database declaration?
ex: database hdb suffix .... rootdn ...
access to...
Because I have already had this error due to a bad delete/past in my conf.
On Fri, Sep 4, 2009 at 12:02 PM, Tomasz Chmielewski mangoo@wpkg.org wrote:
I would like to allow a user to edit everything in a given subtree.
For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389) conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128 conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0 conn=5 op=0 RESULT tag=97 err=0 text= conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com" conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by dn="uid=Operator,ou=Users,dc=example,dc=com" read
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com" ...
But then I'm not even able to connect.
-- Tomasz Chmielewski http://wpkg.org
Lepoutre Lionel wrote:
Have you put your "access" block AFTER your database declaration?
ex: database hdb suffix .... rootdn ...
access to...
Because I have already had this error due to a bad delete/past in my conf.
I have three entries now; with the second entry, I'm able to edit everything in "ou=Users..." with uid=Operator:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to dn.subtree="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
However, with this entry, the system is not able to list the users in LDAP...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hello,
Tomasz Chmielewski a écrit :
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by dn="uid=Operator,ou=Users,dc=example,dc=com" read
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com" ...
I have this rule:
access to dn.subtree="ou=services,dc=example,dc=com" by dn="uid=serviceswriterunr,ou=people,dc=example,dc=com" write by * none
(without the read...) which works here...
hope that'll help,
- -- Thomas van Oudenhove - Université de Toulouse tél: (+33) 5 61 36 60 45 jabberID: thomasvo@im.apinc.org
On 04/09/2009 12:02, Tomasz Chmielewski wrote:
I would like to allow a user to edit everything in a given subtree.
For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389) conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128 conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0 conn=5 op=0 RESULT tag=97 err=0 text= conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com" conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by dn="uid=Operator,ou=Users,dc=example,dc=com" read
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com" ...
But then I'm not even able to connect.
Hi,
I recommend that you read the chapter on access control from the *OpenLDAP* admin guide: http://www.openldap.org/doc/admin24/access-control.html
In this particular case, I expect that you have other access rules that may be blocking this one - remember that order is important, and the first rule matching on the <what> part will define the access level.
Help in setting up ACLs is available through two other means:
1) If you use the command line ldap* tools, they often output some additional info along with the error 50, like this:
ldap_delete: Insufficient access (50) additional info: no write access to parent
2) You can enable loglevel acl in your configuration file and check the logs to see which rules are being used.
I hope this helps. If you have further questions, don't hesitate to post back here with your full set of ACLs, and information on the version of slapd you're using.
Regards, Jonathan
Jonathan Clarke wrote:
- You can enable loglevel acl in your configuration file and check the
logs to see which rules are being used.
I hope this helps. If you have further questions, don't hesitate to post back here with your full set of ACLs, and information on the version of slapd you're using.
I think I have it working with changing this set of ACLs:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
to this:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to dn.subtree="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to dn.subtree="ou=Groups,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
And I think I should comment out "by anonymous auth" from the two entries I added...
On 04/09/2009 14:16, Tomasz Chmielewski wrote:
Jonathan Clarke wrote:
- You can enable loglevel acl in your configuration file and check
the logs to see which rules are being used.
I hope this helps. If you have further questions, don't hesitate to post back here with your full set of ACLs, and information on the version of slapd you're using.
I think I have it working with changing this set of ACLs:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
to this:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to dn.subtree="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
Be careful - none of the "by" clauses after the 2nd ("by * read") will be read. The first matching clause wins, and "*" matches everyone.
access to dn.subtree="ou=Groups,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
And I think I should comment out "by anonymous auth" from the two entries I added...
auth is only meaningful on the userPassword attribute, which you already granted in your first ACL (well, except some implicit searches during bind, but this is a rare case).
Jonathan
Jonathan Clarke wrote:
access to dn.subtree="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
Be careful - none of the "by" clauses after the 2nd ("by * read") will be read. The first matching clause wins, and "*" matches everyone.
auth is only meaningful on the userPassword attribute, which you already granted in your first ACL (well, except some implicit searches during bind, but this is a rare case).
Thanks for an explanation - it's now more clear to me how these rules are processed.
Tomasz Chmielewski mangoo@wpkg.org writes:
I would like to allow a user to edit everything in a given subtree.
For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389) conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128 conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0 conn=5 op=0 RESULT tag=97 err=0 text= conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com" conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by dn="uid=Operator,ou=Users,dc=example,dc=com" read
This access to rule only allows access to dn.base=ou=Users.. the write privilege includes read, compare and auth privileges so the second by clause is never checked and can be omited. You should follow http://www.openldap.org/doc/admin24/access-control.html in order to have valid and authoritative documentation.
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com" ...
read man slapd.access(5)
-Dieter
openldap-software@openldap.org
-
Dieter Kluenter -
Jonathan Clarke -
Lepoutre Lionel -
Thomas van Oudenhove -
Tomasz Chmielewski