directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: openLDAP, ApacheDS and ACL's
Date Wed, 02 Mar 2011 14:06:53 GMT
On 3/2/11 2:27 PM, Juan José Aragonés wrote:
> Hello
> It's the first post I'm writing but I've reached this point
>   reading a lot of the posts, so first of all I want to thank all of you
> for such a great job.
> OK, now to my problem:
> I've created my LDAP
> system for testing and it works fine. For an easier use I downloaded and
>   installed ApacheDS (after having set up the entire system). I created
> the connection and it works. Up to this point is great. Then I decided
> to add some ACL's to my slapd.conf.

Hmmm... ApacheDS does not have a slapd.conf file. This is an OpenLDAP file.

Aren't you confusing Apache Directory Studio (aka Studio, the RCP tool) 
with Apache Directory Server (aka ApacheDS)
> In the beggining I had the simple one:
>   access to *
>      by * read
> This one worked fine: can log in with any user and read the whole tree. So I #commented
this one and tried another one:
> access to dn.subtree="ou=Bahamas,ou=Users,dc=test,dc=com"
>     by dn.exact="cn=Ken Roberts,ou=Bahamas,ou=Users,dc=test,dc=com" write
> It's
>   meant to allow Ken Roberts to modify, add or delete entries but only
> under "ou=Bahamas,ou=Users,dc=test,dc=com" (hope this is correct). But
> when I try to log in as "cn=Ken Roberts
> ,ou=Bahamas,ou=Users,dc=test,dc=com" in ApacheDS I can't (Error message:
>   Invalid credentials). It only let's me log in as
> "cn=Manager,dc=test,dc=com" (set in in slapd.conf as the root DN).
> I decided to try wiht another ACL:
> access to *
>     by dn.children="ou=Admin,ou=Users,dc=test,dc=com" write
> It's
>   meant to allow all users under "ou=Admin,ou=Users,dc=test,dc=com" to
> modify, add or delete entries anywhere in the tree. But the same
> happens: wehn I try to log in as "cn=MR
> Administrator,ou=Admin,ou=Users,dc=test,dc=com" in ApacheDS I can't
> (same error as above). Can only log in as "cn=Manager,dc=test,dc=com".
> I have no idea about what to do so, if anyone can help me with this I'd be really grateful.
So far, assuming that you are using Studio + OpenLDAP, all the issues 
you have are really related to OpenLDAP configuration, not to Studio. 
Studio has no idea about OpenLDAP ACI handling, whatsoever.

I'll suggest you setup the log level in OpenLDAP to get some more 
information about the ACI and how they are managed.

Otherwise, you can also post to the OpenLDAP mailing list.

Emmanuel Lécharny

View raw message