Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
1.5.7
-
None
-
None
-
None
-
server on Windows XP SP3
Description
I have an allUsersSearchAndCompareACI set up to allow only authenticated users to read the server, and another ACI directoryManagerFullAccessACI set up to allow privileged users/services in the group cn=ldap-admin,ou=groups,o=foobar to access LDAP and have editing rights. I have a number of these privileged users/services, and they can authenticate, but not see any of the LDAP tree (just an empty Root DSE), until I rewrite the ACI info, at which point they work perfectly... until the service or the computer it's on resets, and the problem re-occurs. (The uid=admin,ou=system account can access everything just fine.)
The allUsersSearchAndCompareACI ACI source looks like this:
{
identificationTag "allUsersSearchAndCompareACI",
precedence 10,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials
{
grantDiscloseOnError,
grantRead,
grantReturnDN,
grantBrowse,
grantCompare,
grantFilterMatch
}
}
,
{
protectedItems
{
attributeType { userPassword }
}
,
grantsAndDenials
{
denyFilterMatch,
denyRead,
denyCompare
}
}
}
}
}
The directoryManagerACI looks like this:
{
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
userGroup { "cn=ldap-admin,ou=groups,o=foobar" }
}
,
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials
{
grantModify,
grantRead,
grantBrowse,
grantFilterMatch,
grantExport,
grantRemove,
grantDiscloseOnError,
grantAdd,
grantReturnDN,
grantInvoke,
grantRename,
grantImport,
grantCompare
}
}
}
}
}
My LDAP tree looks like this (my comments in /* */)
o=foobar
cn=acientry1 /* contains the two ACI above */
ou=groups
/* various groups elided */
cn=ldap-admin
ou=schema
/* other stuff */
ou=system
uid=admin
/* other stuff */