Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
openldap acl issue (no write access to parent)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pactoo
Guru
Guru


Joined: 18 Jul 2004
Posts: 553

PostPosted: Tue Feb 22, 2011 2:41 pm    Post subject: openldap acl issue (no write access to parent) Reply with quote

Hello,

I do have trouble with openldap acls. I've tried to define an admin group, but this does not work.

The user:
Code:

dn: cn=ldapadmins,o=ORG,c=DE
objectClass: groupOfUniqueNames
cn: ldapadmins
uniqueMember: uid=admin1,ou=gods,o=ORG,c=DE
uniqueMember: uid=admin2,ou=gods,o=ORG,c=DE

dn: uid=admin1,ou=gods,o=ORG,c=DE
objectClass: inetOrgPerson
objectClass: top
cn: Bastard Operator
sn: Operator
givenName: Bastard
uid: admin1
userPassword:: e1NTSEF9RkJDNEltblJrQ2luRvdD3m1hdPOXNzTDZFbGpRVVE=

The acl:
Code:

access to *
        by group.exact="cn=ldapadmins,o=ORG,c=DE"    manage
        by users                                        read
        by anonymous                                    auth
        by *                                            none

The Error:
Code:

#ldapdelete -v 'some DN' -D 'uid=admin1,ou=gods,o=ORG,c=DE' -W
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
deleting entry "some DN"
ldap_delete: Insufficient access (50)
        additional info: no write access to parent


So, despite admin1 being in the ldapadmins group and this group having full access (manage), I cannot delete an entry. ldapsearch works. I am not sure where the error is. There are some similar cases about this in google, but those are way more compilcated and therefore not really usable.
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 911
Location: Switzerland

PostPosted: Wed Feb 23, 2011 1:35 pm    Post subject: Reply with quote

Hi,

i actually don't know where the difference between "manage" and "write" is, but maybe it is exactly the delete function!? -I use "write"!

Funny, this is from http://www.zytrax.com/books/ldap/ch6/ ...
Quote:
manage - The objects defined in the <what> clause may be managed.
write - The objects defined in the <what> clause may be written to.

which one has higher permissions now!?
_________________
Power to the people!
Back to top
View user's profile Send private message
pactoo
Guru
Guru


Joined: 18 Jul 2004
Posts: 553

PostPosted: Wed Mar 02, 2011 5:23 pm    Post subject: Reply with quote

nativemad wrote:
which one has higher permissions now!?


manage

Manage is (supposed) to be to openldap what root is to unix. That includes creation and deletion of objects

See: http://www.openldap.org/doc/admin24/access-control.html chapter 8.2.3

Edit: But my problem still persists
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 911
Location: Switzerland

PostPosted: Thu Mar 03, 2011 12:20 pm    Post subject: Reply with quote

hmm...

Do you have any other rule that could interfere?

You should use "by * break" as end of every rule... Just the last one should have "by * none".
_________________
Power to the people!
Back to top
View user's profile Send private message
pactoo
Guru
Guru


Joined: 18 Jul 2004
Posts: 553

PostPosted: Sat Mar 05, 2011 10:57 pm    Post subject: Reply with quote

No, these all all rules. It is still a very simple setup with a very simple DIT
Back to top
View user's profile Send private message
Sven Vermeulen
Retired Dev
Retired Dev


Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium

PostPosted: Sun Apr 10, 2011 8:14 pm    Post subject: Re: openldap acl issue (no write access to parent) Reply with quote

pactoo wrote:
Hello,

I do have trouble with openldap acls. I've tried to define an admin group, but this does not work.

The user:
Code:

dn: cn=ldapadmins,o=ORG,c=DE
objectClass: groupOfUniqueNames
...

The acl:
Code:

access to *
        by group.exact="cn=ldapadmins,o=ORG,c=DE"    manage
...



Iirc, group.exact only works with groupOfNames/member.

In your slapd.conf, instead of group.exact, use
Code:

access to *
  by group/groupOfUniqueNames/uniqueMember.exact="cn=ldapadmins,o=ORG,c=DE" manage

_________________
Please add "[solved]" to the initial topic title when it is solved. TIA.
Linux Sea (PDF), an online e-book on Gentoo Linux
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum