directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juan José Aragonés <jun...@hotmail.com>
Subject RE: ACL's not applied
Date Wed, 09 Mar 2011 11:07:16 GMT

OK, I'm answering myself just in case someone's trying to find out why this doesn't works
to help me or because it may help someone in a similar situation. I had reached a tpoblem
(see previous post). To make it short I just couldn't log in to an LDAP connection in Apache
Directory as any user exept the rootDN vene having the ACL's seemingly working fine. Or that's
what I thought... Really I could with Master Admin, and the ACL was working fine. I could
make any change to  dn.subtree="ou=Cuba,ou=Users,dc=example,dc=com". But I still couldn't
with the users under "ou=Cuba,ou=Users,dc=example,dc=com". I was getting really mad. Then
I got an idea. So I decided to make a bigger test directory.

LDIF:

dn: dc=example,dc=com
objectClass: extensibleObject
objectClass: domain
objectClass: top
dc: example

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Cuba,ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Cuba

dn: cn=Cuba Users,ou=Cuba,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Cuba Users
uniqueMember: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com
uniqueMember: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com

dn: ou=Cuba,ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Cuba

dn: ou=Jamaica,ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Jamaica

dn: ou=Administrators,ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Administrators

dn: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: John Doe
sn: Doe
displayName: John Doe
givenName: John
mail: jdoe@example.com
userPassword: 12345678

dn: cn=Michael Knight,ou=Cuba,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Michael Knight
sn: Knight
displayName: Michael Knight
givenName: Michael
mail: mknight@example.com
userPassword: 12345678

dn: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Admin
sn: Master 
displayName: Master Admin
givenName: Master
mail: madmin@example.com
userPassword: admin

dn: cn=Clark Kent,ou=Jamaica,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Clark Kent
sn: Kent
displayName: Clark Kent
givenName: Clark
mail: ckent@example.com
userPassword: 12345678

dn: cn=Peter Parker,ou=Jamaica,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Peter Parker
sn: Parker
displayName: Peter Parker
givenName: Peter
mail: pparker@example.com
userPassword: 12345678

dn: cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Administrators
uniqueMember: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com
uniqueMember: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com

I also made a change to my ACL "access to" clause
----------------------------------------------------------------------------------------------------------
ACL before:

access to dn.subtree="ou=Cuba,ou=Users,dc=example,dc=com"
 by group/groupofuniquenames/uniquemember="cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com"
write
 by users read

ACL after:
access to dn.subtree="ou=Jamaica,ou=Users,dc=example,dc=com"
 by group/groupofuniquenames/uniquemember="cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com"
write
 by users read


I thought that the difference between John Doe and Master Administrator was that they belonged
to 
different. Evidently that;s true, but the real difference was that I was trying to access
an ou with a 
children belonging to that ou. So I changed from Cuba to Jamaica and it worked! I could log
in with 
John Doe or Master Admin to change the data under "dn.subtree="ou=Jamaica,ou=Users,dc=example,dc=com".
Anyway I'm not sure if this is absoultelly correct (feel free to correct this if it isn't),
but it 
works for me.

Regards

Juan Jose Aragones

 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message