It works. Thanks!!! 2011/2/11 Pierangelo Masarati <[email protected]>
> Natalia wrote: > >> Hi, >> >> i have a problem with ACLs. I will to grant access to IP. my ACL: >> >> olcAccess: to dn.subtree="ou=people,dc=example,dc=de" >> by group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de" write >> by group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de" read >> by peername.ip=127.0.0.1 read >> by * none >> >> But i become error: >> >> ldap_modify: Other (e.g., implementation specific) error (80) >> additional info: <olcAccess> handler exited with 1 >> >> in logs: >> >> conn=1034 op=4 MOD attr=olcAccess olcAccess >> Feb 11 13:33:07 ldap slapd2.4[21279]: slapd: line 0: expecting <access> >> got >> "writeby". >> Feb 11 13:33:07 ldap slapd2.4[21279]: <access clause> ::= access to <what> >> [ >> by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] >> [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> >> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= >> <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | >> !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self >> | >> dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | >> realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] >> [realdnattr=<attrname>] >> [group[/<objectclass>[/<attrname>]][.<style>]=<group>] >> [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] >> [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] >> [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>] >> [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex >> | >> base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | >> children >> | exact | regex <attrstyle> ::= exact | regex | base(Obj >> Feb 11 13:33:07 ldap slapd2.4[21279]: conn=1034 op=4 RESULT tag=103 err=80 >> text=<olcAccess> handler exited with 1 >> >> I have OpenLDAP 2.4.22. If i remove "by peername.ip=127.0.0.1 read" it >> works. >> > > Your LDIF is incorrect, and the error is indirectly telling you. > > > olcAccess: to dn.subtree="ou=people,dc=example,dc=de" > by group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de" write > by group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de" read > by peername.ip=127.0.0.1 read > by * none > > The single blank you leave before each "by" simply means continuation. As > such, what slapd sees is actually > > arg#1: to > arg#2: dn.subtree="ou=people,dc=example,dc=de"by > arg#3: group.exact="cn=lda,ou=Endsysteme,dc=example,dc=de" > arg#4: writeby > arg#5: group.exact="cn=kon,ou=Endsysteme,dc=example,dc=de" > arg#6: readby > arg#7: peername.ip=127.0.0.1 > arg#8: readby > arg#9: * > arg#10: none > > See RFC 2849 for more information on LDIF format. > > p. >
