On 27-02-14 17:49, Quanah Gibson-Mount wrote:
--On Thursday, February 27, 2014 4:19 PM +0100 Jonas Kellens
<[email protected]> wrote:
Hello,
I have a working openLDAP server version 2.3.43. My configuration there
works : the correct users have the correct access.
I have set up a new openLDAP-server with newer version 2.3.43.
I have no working openLDAP on version 2.3.43.
I have tried with the new syntax and with the command /usr/sbin/slaptest
-f /etc/openldap/slapd.conf -v to use the build in converion tool, but I
always got : ldap_bind: Invalid credentials (49)
So I forgot this conversion and continued with the "old" slapd.conf
file.
But in this configuration (which is just a copy/paste of my openLDAP
2.3.43) no user can query the LDAP entries.
So this is the setup :
I have a user : cn=U101001,ou=101001,dc=mydomain
This user is member of the group :
cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain
These members can read entries in the tree :
ou=tbook1,ou=contacten,ou=101001,dc=mydomain
I have in slapd.conf :
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
by group.exact="cn=admins,ou=101001,dc=mydomain" write
by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain"
read
So why does my user cn=U101001,ou=101001,dc=mydomain fails to get
results
??
Likely the 2.3 acl set needs adjusting for 2.4.
I would also note it appears you're using the utterly broken packages
provided by RH. I'd strongly advise you to get sane, safe packages,
such as those provided by Symas or the LTB project.
--Quanah
Hello,
what kind of adjustments are needed then ?
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
by group.exact="cn=admins,ou=101001,dc=mydomain" write
by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain"
read
What of the above ACL-statement is incorrect ?
Kind regards,
Jonas.
