Hi folks
I am trying to get an acl for an address book to work.
the relevant acl statements are:
access to attrs=userPassword,userPKCS12 by dn="cn=admin,dc=graylion,dc=net" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$" by dn="uid=$1,ou=users,dc=graylion,dc=net" write by dn.regex="cn=admin,dc=graylion,dc=net" read by users none
access to * by dn="cn=admin,dc=graylion,dc=net" write by * read
I have also tried using
by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
but in all cases I get (when I try to add something to my personal address book):
Apr 12 12:59:32 collab slapd[17093]: do_add Apr 12 12:59:32 collab slapd[17093]: >>> dnPrettyNormal: <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>
Apr 12 12:59:32 collab slapd[17093]: <<< dnPrettyNormal: <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>, <uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net>
Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 ADD dn="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 12 12:59:32 collab slapd[17093]: bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")
Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id( "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" ) Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 12 12:59:32 collab slapd[17093]: bdb_referrals: op=104 target="uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" matched="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net), objectClass "inetOrgPerson" Apr 12 12:59:32 collab slapd[17093]: oc_check_required entry (uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net), objectClass "mozillaAbPersonAlpha" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "uid" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "objectClass" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "cn" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "givenName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "sn" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "displayName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "c" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "structuralObjectClass" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryUUID" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "creatorsName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "createTimestamp" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "entryCSN" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifiersName" Apr 12 12:59:32 collab slapd[17093]: oc_check_allowed type "modifyTimestamp" Apr 12 12:59:32 collab slapd[17093]: bdb_dn2entry("uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net")
Apr 12 12:59:32 collab slapd[17093]: => bdb_dn2id( "uid=0430d7cb45d65818410b30ff9c9a130a,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" ) Apr 12 12:59:32 collab slapd[17093]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access to "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" "children" requested Apr 12 12:59:32 collab slapd[17093]: => dn: [2] Apr 12 12:59:32 collab slapd[17093]: => dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1 Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] matched Apr 12 12:59:32 collab slapd[17093]: => acl_get: [3] attr children Apr 12 12:59:32 collab slapd[17093]: => acl_mask: access to entry "cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net", attr "children" requested Apr 12 12:59:32 collab slapd[17093]: => acl_mask: to all values by "uid=graylion,ou=users,dc=graylion,dc=net", (=n) Apr 12 12:59:32 collab slapd[17093]: <= acl_mask: no more <who> clauses, returning =n (stop) Apr 12 12:59:32 collab slapd[17093]: => access_allowed: write access denied by =n Apr 12 12:59:32 collab slapd[17093]: bdb_add: no write access to parent Apr 12 12:59:32 collab slapd[17093]: send_ldap_result: conn=72 op=2 p=3 Apr 12 12:59:32 collab slapd[17093]: send_ldap_response: msgid=3 tag=105 err=50 Apr 12 12:59:32 collab slapd[17093]: conn=72 op=2 RESULT tag=105 err=50 text=no write access to parent
now dnpat: [3] cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$ nsub: 1
seems to tell me that the regex gets matched correctly but on the other hand it totally seems to not find
'by dn="uid=$1,ou=users,dc=graylion,dc=net" write'
I seem to be missing something obvious. what is it?
thanks
Bernhard
Bernhard D Rohrer wrote:
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$" by dn="uid=$1,ou=users,dc=graylion,dc=net" write by dn.regex="cn=admin,dc=graylion,dc=net" read by users none
This rule is bogus:
by dn="uid=$1,ou=users,dc=graylion,dc=net" write
matches a DN exactly containing the literal "uid=$1,ou=users,dc=graylion,dc=net" (the default style has been "exact" for quite a long time);
by dn.regex="cn=admin,dc=graylion,dc=net" read
uses a regex to match an exact value, which means that a DN __containing__ "cn=admin,dc=graylion,dc=net" (e.g. "cn=admin,dc=graylion,dc=network") would match as well;
by users none
is not necessary since anything not matching the previous "by" clauses will get the default privileges, i.e. "none" (actually, the default privileges should now be "disclose", so an explicit "by * none" could be necessary to strictly enforce "none").
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Bernhard D Rohrer -
Pierangelo Masarati