[Kolab-devel] [issue852] No auth access to attr userPassword in LDAP with new slapd.access

Gunnar Wrobel kolab-issues at intevation.de
Thu Jul 21 19:59:27 CEST 2005 

New submission from Gunnar Wrobel <wrobel at pardus.de>:

I used the new cvs code that allows to create domain maintainers. There is a new
template for the /etc/openldap/slapd.access configuration file that gets
included into the /etc/openldap/slapd.conf file. If this additional file gets
included I cannot bind to ldap as a normal user anymore. 

I see the following in the log file:

Jul 21 21:12:05 dome slapd[11198]: => acl_get: [2] attr userPassword
Jul 21 21:12:05 dome slapd[11198]: => acl_mask: access to entry
"cn=Test,dc=home,dc=de", attr "userPassword" requested
Jul 21 21:12:05 dome slapd[11198]: => acl_mask: to all values by "", (=n) 
Jul 21 21:12:05 dome slapd[11198]: <= check a_dn_pat: *
Jul 21 21:12:05 dome slapd[11198]: <= acl_mask: [2] applying +0 (continue)
Jul 21 21:12:05 dome slapd[11198]: <= acl_mask: [2] mask: =n
Jul 21 21:12:05 dome slapd[11198]: <= acl_mask: no more <who> clauses, returning
=n (stop)
Jul 21 21:12:05 dome slapd[11198]: => access_allowed: auth access denied by =n

If I don't include slapd.access I can log in again. This is the content of my
slapd.access:

# Domain ACL statements for inclusion in slapd.conf

# Access to domain groups
access to dn.children="cn=domains,cn=internal,dc=home,dc=de"
        by group/kolabGroupOfNames="cn=admin,cn=internal,dc=home,dc=de" write
        by group/kolabGroupOfNames="cn=maintainer,cn=internal,dc=thome,dc=de" write
        by dn="cn=nobody,cn=internal,dc=home,dc=de" read
        by
group/kolabGroupOfNames="cn=home.de,cn=domains,cn=internal,dc=home,dc=de" read
        by * search stop

# Domain specific access
access to
filter=(&(objectClass=kolabInetOrgPerson)(mail=*@home.de)(|(!(alias=*))(alias=*@home.de)))
        by
group/kolabGroupOfNames="cn=home.de,cn=domains,cn=internal,dc=home,dc=de" write
        by * continue

access to filter=(&(objectClass=kolabGroupOfNames)(mail=*@home.de))
        by
group/kolabGroupOfNames="cn=home.de,cn=domains,cn=internal,dc=home,dc=de" write
        by * continue

access to filter=(&(objectClass=kolabSharedFolder)(cn=*@home.de))
        by
group/kolabGroupOfNames="cn=home.de,cn=domains,cn=internal,dc=home,dc=de" write
        by * continue

----------
messages: 5154
nosy: wrobel
priority: minor bug
status: unread
title: No auth access to attr userPassword in LDAP with new slapd.access
________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://intevation.de/roundup/kolab/issue852>
________________________________________________

More information about the devel mailing list