directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juan José Aragonés <jun...@hotmail.com>
Subject ACL's not applied
Date Tue, 08 Mar 2011 10:42:26 GMT

Hello

First of all thanks to Emmanuel Lecharny for his quick response to my previous thread, and
pointing me out my "little" confusion. Keep up the good work all of you! 
Now here comes my problem. Having set my LDAP correctly and having connected to it using Apache
Directory Studio 1.5.3 everything seems all right. I can connect with the admin and the other
users. I change my slapd.conf to introduce some ACL's. Checking them in the command line they
work OK. But when I try to connect using the Apache Directory Studio I;m only able to do it
using the manager (the rest have "Invallid credentials"). I hope you can help me. 
I'm pasting the LDIF and the ACL part of my slapd.conf (it's checked and working ok):

LDIF:

dn: dc=example,dc=com
objectClass: extensibleObject
objectClass: domain
objectClass: top
dc: lagantest

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Cuba,ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Cuba

dn: cn=Cuba Users,ou=Cuba,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Cuba Users
uniqueMember: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com
uniqueMember: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com

dn: ou=Cuba,ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Cuba

dn: ou=Administrators,ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Administrators

dn: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: John Doe
sn: Doe
displayName: John Doe
givenName: John
mail: jdoe@example.com
userPassword: 12345678

dn: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Admin
sn: Master 
displayName: Master Admin
givenName: Master
mail: madmin@example.com
userPassword: admin

dn: cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: Administrators
uniqueMember: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com
uniqueMember: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com
----------------------------------------------------------------------------------------------------------
ACL:
access to dn.subtree="ou=Cuba,ou=Users,dc=example,dc=com"
    by group/groupofuniquenames/uniquemember="cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com"
write
    by users read

----------------------------------------------------------------------------------------------------------
One example of this working is:

/usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com"
-D 
     "cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com" "mail/write:"
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
authcDN: "cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com"
write access to mail=: ALLOWED

 /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com"
-D 
"cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com" "mail/write:"
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
authcDN: "cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com"
write access to mail=: DENIED

/usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com"
-D 

"cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com" "mail/read:"
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
authcDN: "cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com"
read access to mail=: ALLOWED


Thanks

Juan Jose Aragones
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message