Hi,
Sorry if it sounds a newbie question/problem, but: Could anybody send me a working example of how can I use an ACL containing a by group part, I'we found a few examples on the net but a part of it rendered any of the by lines which followed the group one ignored, others have crashed slapd immediately on startup. (My slapd is version 2.3.38 and I stil use slapd.conf file based configuration)
Thanks in advance
Geza Gemes
In the tests directory there are a few examples such as...
data/slapd-acl.conf: by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
testdata/slapd-idassert.conf: by group.exact="cn=Authorizable,ou=Groups,o=Esempio,c=IT" read
You can see these in action with the ACL or idassert tests (e.g. "./run test006" in the tests directory); look in the testrun directory for output.
On Mon, 3 Dec 2007, Gémes Géza wrote:
Hi,
Sorry if it sounds a newbie question/problem, but: Could anybody send me a working example of how can I use an ACL containing a by group part, I'we found a few examples on the net but a part of it rendered any of the by lines which followed the group one ignored, others have crashed slapd immediately on startup. (My slapd is version 2.3.38 and I stil use slapd.conf file based configuration)
Thanks in advance
Geza Gemes
Aaron Richton írta:
In the tests directory there are a few examples such as...
data/slapd-acl.conf: by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
testdata/slapd-idassert.conf: by group.exact="cn=Authorizable,ou=Groups,o=Esempio,c=IT" read
You can see these in action with the ACL or idassert tests (e.g. "./run test006" in the tests directory); look in the testrun directory for output.
On Mon, 3 Dec 2007, Gémes Géza wrote:
Hi,
Sorry if it sounds a newbie question/problem, but: Could anybody send me a working example of how can I use an ACL containing a by group part, I'we found a few examples on the net but a part of it rendered any of the by lines which followed the group one ignored, others have crashed slapd immediately on startup. (My slapd is version 2.3.38 and I stil use slapd.conf file based configuration)
Thanks in advance
Geza Gemes
Thank you to all of you for your answers!
I should have think about the second example. Unfortunately I was trying to make something similar to the first one working, with the slapd crashing at startup. My entry crashing slapd was: by group/posixGroup/memberUid.exact="cn=..." write maybe my fault was thinking that I could use the memberUid optional attribute of the posixGroup objectclass (from the nis.schema).
Thank you again!
Geza Gemes
Hi,
How to write a password filter for OpenLdap?
I want make a specific policy, I think that a password filter is the best way.
marcelo.xavier@caixa.gov.br wrote:
Hi,
How to write a password filter for OpenLdap?
I want make a specific policy, I think that a password filter is the best way.
man slapo-ppolicy
crashing at startup. My entry crashing slapd was: by group/posixGroup/memberUid.exact="cn=..." write maybe my fault was thinking that I could use the memberUid optional attribute of the posixGroup objectclass (from the nis.schema).
My copy of nis.schema has memberUid as EQUALITY caseExactIA5Match, but it looks like that statement expects an attribute that is EQUALITY distinguishedNameMatch. It still shouldn't core dump; if you can reproduce that in the latest version, you should file it in the ITS system. But once the core dump is fixed, don't expect it to work necessarily...
(or maybe it'll just bail out as invalid configuration.)
(Free hint: There might be a module in contrib that does what you're looking for...though maybe not, I'm not particularly sure what you're looking for exactly.)
Gémes Géza wrote:
My entry crashing slapd was: by group/posixGroup/memberUid.exact="cn=..." write
I have tested the above case with a fresh 2.3 and it doesn't crash; it rather complains because the syntax is invalid, and exits with an error (the intended behavior). What's the meaning of the term "crash" for you?
maybe my fault was thinking that I could use the memberUid optional attribute of the posixGroup objectclass (from the nis.schema).
In fact, memberUid does not have distinguishedName syntax, and thus can't be used as a group member. Slapd is behaving as expected.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati írta:
Gémes Géza wrote:
My entry crashing slapd was: by group/posixGroup/memberUid.exact="cn=..." write
I have tested the above case with a fresh 2.3 and it doesn't crash; it rather complains because the syntax is invalid, and exits with an error (the intended behavior). What's the meaning of the term "crash" for you?
maybe my fault was thinking that I could use the memberUid optional attribute of the posixGroup objectclass (from the nis.schema).
In fact, memberUid does not have distinguishedName syntax, and thus can't be used as a group member. Slapd is behaving as expected.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
The 2.3.39 didn't crash for me neither.
Thanks for the help.
Cheers
Geza
Gémes Géza wrote:
Hi,
Sorry if it sounds a newbie question/problem, but: Could anybody send me a working example of how can I use an ACL containing a by group part, I'we found a few examples on the net but a part of it rendered any of the by lines which followed the group one ignored, others have crashed slapd immediately on startup.
Slapd is not supposed to crash because of an ACL error. Can you provide more details (e.g. the offending access directive, and a stack backtrace of the core dump)?
(My slapd is version 2.3.38 and I stil use slapd.conf file based configuration)
2.3.39 is the latest (although 2.3.38 is recent enough for issues in ACLs).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Aaron Richton -
Gavin Henry -
Gémes Géza -
marcelo.xavier@caixa.gov.br -
Pierangelo Masarati