Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access) postmaster (manage accounts under own domain) account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as well.
Below I post phamm.acl, Please, Can anyone help me with this acls issue? Thanks! Juliano.
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self read
access to dn.regex="ou=admin,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self read
--- end ---
On 21/07/2010 02:28, Juliano Rodrigues wrote:
Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access) postmaster (manage accounts under own domain) account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as well.
Below I post phamm.acl, Please, Can anyone help me with this acls issue?
A few suggestions: - Have you modified phamm.acl to contain your DN suffix instead of dc=example,dc=tld? - ACLs are treated in order, and the first that matches wins. Do you have any other ACLs in your slapd.conf, before this include? If so, you need to adapt them to fit in with this one.
Hope this helps, Jonathan
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self read
access to dn.regex="ou=admin,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self read
--- end ---
On 21/07/10 05:33, Jonathan Clarke wrote:
On 21/07/2010 02:28, Juliano Rodrigues wrote:
Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access) postmaster (manage accounts under own domain) account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as well.
Below I post phamm.acl, Please, Can anyone help me with this acls issue?
A few suggestions:
- Have you modified phamm.acl to contain your DN suffix instead of
dc=example,dc=tld?
- ACLs are treated in order, and the first that matches wins. Do you
have any other ACLs in your slapd.conf, before this include? If so, you need to adapt them to fit in with this one.
Hope this helps, Jonathan
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self read
access to dn.regex="ou=admin,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self read
--- end ---
Im using for test propose this DN suffix dc=example,dc=tld at this first moment.
There is no other acls in my slapd.conf.
Why postmaster and users cannot write changes? Thanks
Le 21/07/2010 14:29, Juliano Rodrigues a écrit :
On 21/07/10 05:33, Jonathan Clarke wrote:
On 21/07/2010 02:28, Juliano Rodrigues wrote:
Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access) postmaster (manage accounts under own domain) account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as well.
Below I post phamm.acl, Please, Can anyone help me with this acls issue?
A few suggestions:
- Have you modified phamm.acl to contain your DN suffix instead of
dc=example,dc=tld?
- ACLs are treated in order, and the first that matches wins. Do you
have any other ACLs in your slapd.conf, before this include? If so, you need to adapt them to fit in with this one.
Hope this helps, Jonathan
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self read
access to dn.regex="ou=admin,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self read
--- end ---
Im using for test propose this DN suffix dc=example,dc=tld at this first moment.
There is no other acls in my slapd.conf.
Why postmaster and users cannot write changes? Thanks
Try running OpenLDAP with "loglevel acl" in slapd.conf or "-d acl" on the command line, and analyze that output. It will show you what access is requested by the client, and which ACLs give/deny it.
Jonathan
On 22/07/10 02:58, Jonathan Clarke wrote:
Le 21/07/2010 14:29, Juliano Rodrigues a écrit :
On 21/07/10 05:33, Jonathan Clarke wrote:
On 21/07/2010 02:28, Juliano Rodrigues wrote:
Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access) postmaster (manage accounts under own domain) account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as well.
Below I post phamm.acl, Please, Can anyone help me with this acls issue?
A few suggestions:
- Have you modified phamm.acl to contain your DN suffix instead of
dc=example,dc=tld?
- ACLs are treated in order, and the first that matches wins. Do you
have any other ACLs in your slapd.conf, before this include? If so, you need to adapt them to fit in with this one.
Hope this helps, Jonathan
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self read
access to dn.regex="ou=admin,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self read
--- end ---
Im using for test propose this DN suffix dc=example,dc=tld at this first moment.
There is no other acls in my slapd.conf.
Why postmaster and users cannot write changes? Thanks
Try running OpenLDAP with "loglevel acl" in slapd.conf or "-d acl" on the command line, and analyze that output. It will show you what access is requested by the client, and which ACLs give/deny it.
Jonathan
Thanks for your reply Jonathan. After debug acls, I still cannot find why postmaster dont have write access. Below are loglevel acl output.
Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 24: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 32: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 39: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 46: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 54: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 61: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 69: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 75: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 82: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 90: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 97: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 102: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 106: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 110: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 114: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2884]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
Jul 22 09:24:20 mailserver slapd[2884]: => slap_access_allowed: backend default read access granted to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:20 mailserver slapd[2884]: => access_allowed: read access granted by read(=rscxd) Jul 22 09:24:20 mailserver slapd[2884]: => access_allowed: read access to "mail=rodrigo@social.com.br,vd=social.com.br,o=hosting,dc=example,dc=tld" "quota" requested Jul 22 09:24:20 mailserver slapd[2884]: => slap_access_allowed: backend default read access granted to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:20 mailserver slapd[2884]: => access_allowed: read access granted by read(=rscxd) Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: auth access to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" "userPassword" requested Jul 22 09:24:24 mailserver slapd[2884]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: auth access granted by read(=rscxd) Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: search access to "vd=social.com.br,o=hosting,dc=example,dc=tld" "entry" requested Jul 22 09:24:24 mailserver slapd[2884]: => slap_access_allowed: backend default search access granted to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: search access granted by read(=rscxd) Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: auth access to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" "userPassword" requested Jul 22 09:24:32 mailserver slapd[2884]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: auth access granted by read(=rscxd) Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: add access to "vd=social.com.br,o=hosting,dc=example,dc=tld" "children" requested Jul 22 09:24:32 mailserver slapd[2884]: => slap_access_allowed: backend default add access denied to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: no more rules
Thanks for any help, that point me to the right direction.
On 22/07/10 12:31, Juliano Rodrigues wrote:
On 22/07/10 02:58, Jonathan Clarke wrote:
Le 21/07/2010 14:29, Juliano Rodrigues a écrit :
On 21/07/10 05:33, Jonathan Clarke wrote:
On 21/07/2010 02:28, Juliano Rodrigues wrote:
Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access) postmaster (manage accounts under own domain) account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as well.
Below I post phamm.acl, Please, Can anyone help me with this acls issue?
A few suggestions:
- Have you modified phamm.acl to contain your DN suffix instead of
dc=example,dc=tld?
- ACLs are treated in order, and the first that matches wins. Do you
have any other ACLs in your slapd.conf, before this include? If so, you need to adapt them to fit in with this one.
Hope this helps, Jonathan
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts by dn="cn=admin,dc=example,dc=tld" write by self read by set.expand="user/editAccounts & [TRUE]" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [TRUE]" write by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=otherPath by dn="cn=admin,dc=example,dc=tld" write by anonymous read by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=createMaildir,vdHome,mailbox,otherTransport by dn="cn=admin,dc=example,dc=tld" write by self read by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by set.expand="user/editAccounts & [FALSE]" read by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword by dn="cn=admin,dc=example,dc=tld" write by self write by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd by dn="cn=admin,dc=example,dc=tld" write by self read
access to dn.regex="ou=admin,dc=example,dc=tld$" by dn="cn=admin,dc=example,dc=tld" write by self read
--- end ---
Im using for test propose this DN suffix dc=example,dc=tld at this first moment.
There is no other acls in my slapd.conf.
Why postmaster and users cannot write changes? Thanks
Try running OpenLDAP with "loglevel acl" in slapd.conf or "-d acl" on the command line, and analyze that output. It will show you what access is requested by the client, and which ACLs give/deny it.
Jonathan
Thanks for your reply Jonathan. After debug acls, I still cannot find why postmaster dont have write access. Below are loglevel acl output.
Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 24: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 32: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 39: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 46: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 54: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 61: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 69: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 75: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 82: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 90: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 97: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 102: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 106: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 110: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2883]: /etc/openldap/schema/phamm.acl: line 114: warning: ACL could be out of scope within backend naming context Jul 22 09:18:44 mailserver slapd[2884]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
Jul 22 09:24:20 mailserver slapd[2884]: => slap_access_allowed: backend default read access granted to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:20 mailserver slapd[2884]: => access_allowed: read access granted by read(=rscxd) Jul 22 09:24:20 mailserver slapd[2884]: => access_allowed: read access to "mail=rodrigo@social.com.br,vd=social.com.br,o=hosting,dc=example,dc=tld" "quota" requested Jul 22 09:24:20 mailserver slapd[2884]: => slap_access_allowed: backend default read access granted to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:20 mailserver slapd[2884]: => access_allowed: read access granted by read(=rscxd) Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: auth access to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" "userPassword" requested Jul 22 09:24:24 mailserver slapd[2884]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: auth access granted by read(=rscxd) Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: search access to "vd=social.com.br,o=hosting,dc=example,dc=tld" "entry" requested Jul 22 09:24:24 mailserver slapd[2884]: => slap_access_allowed: backend default search access granted to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:24 mailserver slapd[2884]: => access_allowed: search access granted by read(=rscxd) Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: auth access to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" "userPassword" requested Jul 22 09:24:32 mailserver slapd[2884]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: auth access granted by read(=rscxd) Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: add access to "vd=social.com.br,o=hosting,dc=example,dc=tld" "children" requested Jul 22 09:24:32 mailserver slapd[2884]: => slap_access_allowed: backend default add access denied to "cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld" Jul 22 09:24:32 mailserver slapd[2884]: => access_allowed: no more rules
Thanks for any help, that point me to the right direction.
Please, where can I found which ACLs are Denying cn=postmaster,vd=social.com.br,o=hosting,dc=example,dc=tld ? I only see, access_allowed, slap_access_allowed, backend default add access denied. I cannot do much more with this information. How can I debug ACLs hardest? (Only acls, I already tryed -1 without success (looking for denying information)) Sorry my low know how in this issue, but I realy need to finish this job. Thanks.
openldap-technical@openldap.org
-
Jonathan Clarke -
Juliano Rodrigues