[turba] bad DN "ou=(.+) after enforcing LDAP ACL's in slapd.conf - fixed :-)

Murray Trainer mtrainer at central-data.net
Fri Feb 17 01:54:38 PST 2006 

Hi Guys,

I spent ages on getting the ACL working right myself a while ago. I had
something similar to you but a very recent version of Openldap gave
warning errors about my ACL as the syntax wasn't fully correct.  Looking
at it again recently I think I understand it all a bit more clearly
now.  I came up with the result below which I think is what you are
after:

# Enforce ACL's to personal addressbooks
#
access to dn.regex="ou=(.+),ou=personal_addressbook,dc=mydomain,dc=net"
        by dn.exact,expand="uid=$1,ou=users,dc=mydomain,dc=net" write
        by users none

The site below is pretty helpful on ACL's and other LDAP stuff with
plenty of examples:

http://www.zytrax.com/books/ldap/ch6/index.html#access-examples

Definitely worth bookmarking.

Regards

Murray




> Hi
> 
> Cheers for that. phew, as if I have not spent a nightmare 3 days mount 
> everest learning curve with slapd ldap, so thanks for the pull up to the 
> top, well nearly to top:-)
> 
> Probably should go in the turba/docs/LDAP
> 
> and maybe a hint in the turba/config/conf.xml file stating in the turba 
> setup: If using LDAP ensure your have: the displays the LDAP document 
> text.
> 
> I know, I should have read it.
> 
> M.
> 
> In message <002401c6336b$fe630fa0$641e140a at ATHLON>, Dale Hartung 
> <dale at dghartung.com> writes
> >Your using a regular expression, do something like this:
> >
> > access to dn.regex="ou=(.+),ou=personal_addressbook,dc=site,dc=com"
> >        by dn.regex="uid=(.+),ou=people,dc=site,dc=com" write
> >
> >
> >I spent hours figuring this out and this works for me now.
> >
> >Dale
> >
> >-----Original Message-----
> >From: turba-bounces at lists.horde.org [mailto:turba-bounces at lists.horde.org]
> >On Behalf Of Mark Worsdall
> >Sent: Thursday, February 16, 2006 8:38 PM
> >To: turba at lists.horde.org
> >Subject: [turba] bad DN "ou=(.+) after enforcing LDAP ACL's in slapd.conf
> >
> >Hi,
> >
> >When I add the lines specified in turba/docs/LDAP
> >
> >Enforce ACL's to personal address books.
> >
> >    Add this to your LDAP ACL so users can only see their own address
> >book::
> >
> >
> >access to dn="ou=(.+), ou=personal_addressbook, dc=shadowrobot, dc=com"
> >          by dn="uid=$1, dc=shadowrobot, dc=com" write
> >          by * none
> >
> >
> >and restart the slapd.conf server It won't start and reports error:
> >
> >sudo /etc/init.d/slapd restart
> >
> >Stopping OpenLDAP: slapd.
> >Starting OpenLDAP: running BDB recovery, slapd - failed:
> >/etc/ldap/slapd.conf: line 103: bad DN "ou=(.+),
> >ou=personal_addressbook, dc=shadowrobot, dc=com" in to DN clause
> ><access clause> ::= access to <what> [ by <who> <access> [ <control> ]
> >]+
> >
> >
> >I assume that LDAP ACL's  in the case of slapd means the slapd.conf
> >file?
> >
> >M.
> >--
> >Mark Worsdall
> >http://www.shadowrobot.com/  need a hand??
> 
> -- 
> Mark Worsdall
> http://www.shadowrobot.com/  need a hand??

More information about the turba mailing list