I went thru slapd.access and slapacl manuals, read the FAQ but I'm stuck. I cannot give some user privilege to write to some parts of my LDAP tree.
LDIF export of the relevant parts of my tree: ---------------------------- # Exportação LDIF para: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy # Servidor: ldap sub.domain.xyz.xy (127.0.0.1) # Abrangência da Busca: sub # Filtro de Busca: (objectClass=*) # Total de objetos: 1
dn: cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: Administrador LDAP
# Exportação LDIF para: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy # Servidor: ldap sub.domain.xyz.xy (127.0.0.1) # Abrangência da Busca: base # Filtro de Busca: (objectClass=*) # Total de objetos: 1
dn: ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy ou: moodleusers objectClass: organizationalUnit objectClass: top
# Exportação LDIF para: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy # Servidor: ldap sub.domain.xyz.xy (127.0.0.1) # Abrangência da Busca: sub # Filtro de Busca: (objectClass=*) # Total de objetos: 1
dn: uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy uid: usuariomoodle-admin userPassword: ... objectClass: account objectClass: simpleSecurityObject objectClass: top ----------------------------
and now slapd.conf:
---------------------------- # 1 access to dn.base="cn=Subschema" by * read
# 2 access to attrs=userPKCS12 by self write by * auth
# 3 access to attrs=shadowLastChange by self write by * read
# 4 access to attrs=userPassword by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by anonymous auth by self write by * none
# 5 access to dn.base="" by * read
# 6 access to * by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by * read
# 7 access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy" by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
# Previous tries
#access to dn.subtree="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy" # by dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
#access to dn.children="dc=sub,dc=domain,dc=xyz,dc=xy" # by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
#access to * (!) # by dn.exact="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
suffix "dc=sub,dc=domain,dc=xyz,dc=xy"
rootdn "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" rootpw ... ----------------------------
I also tried to set usuariomoodle-admin permissions to "=mwrscxd" since it's the exact output from slapacl for "cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy". Following the acl's in that order I can't find where, if it exists, an acl breaks my acl number 7. I used phpldapadmin, logged as usuariomoodle-admin, could not create child objects, neither modify existing ones. Using the external application (that this acl refers to) to try to write on the ldap tree didn't work. Finally slapacl showed just "rscxd" as the permissions for that user, despite the fact that I set write permission on the slapd.conf for that resource/that user.
What's wrong?
thanks,
lauro
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
summarising your post - heres your "active" ACL's by the looks:
access to dn.base="cn=Subschema" by * read access to attrs=userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to attrs=userPassword by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by * read access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy" by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
The rule for "usuariomoodle-admin" is inaccessable. As ACL's are only processed until a match is found you can never get to this rule - the preceeding rule says give read to * so the ACL will always stop there if it hasn't been already caught by one of the others. Simple move that last access rule above the access to * on and you should get things moving in the right direction.
Shane.
openldap-software@openldap.org