LDAP (slapd) ACL issue – can add but not modify entries

access-control-listldapopenldap

I have an issue with the ACL configuration of an LDAP server (slapd). The following ACL entry is active as the first rule that applies:

{0}to dn.subtree="ou=some,ou=where,ou=beneath,dc=the,dc=rain,dc=bow"  attrs=entry,children by users write

Now the strange thing that happens is that given that rule I can add an entry to the respective DN but if I want to modify it with the very same user, then I get

0x32 (LDAP_INSUFFICIENT_ACCESS)

Can someone give me a hint what the problem could be?

Best Answer

If you want to allow the modification of the whole entry, you need to remove the attrs= option completely.
I think your'e misunderstanding what the attrs=entry does. It doesnt let you modify the whole entry. The entry attribute only grants permission to the entry itself (not its attribtes), which basically only allows you to delete it. The children attribute is what is letting you create new children under that entry. But as soon as the child is created, you cant modify it because it falls under the dn.subtree match, and your ACL forbids modification of anything other than deleting the entry and creating children.

From http://www.openldap.org/doc/admin24/access-control.html:

There are two special pseudo attributes entry and children. To read (and hence return) a target entry, the subject must have read access to the target's entry attribute. To perform a search, the subject must have search access to the search base's entry attribute. To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute. To rename an entry, the subject must have write access to entry's entry attribute AND have write access to both the old parent's and new parent's children attributes. The complete examples at the end of this section should help clear things up.

As mentioned, the solution is to remove the attrs option. This makes the ACL default to everything, so when you specify write, it lets you write to everything on that entry.

Related Solutions

LDAP (slapd) – Authenticated User Cannot Modify Self

Lists  of  access  directives are evaluated in the order they appear in
slapd.conf.  When a <what> clause matches the  datum  whose  access  is
being evaluated, its <who> clause list is checked.  When a <who> clause
matches the accessor's properties, its <access> and  <control>  clauses
are evaluated.  Access control checking stops at the first match of the
<what> and <who> clause, unless otherwise  dictated  by  the  <control>
clause.

First matching <what> and <who> for attempt to change password is:

access to *
   by users read

If you move 'access to *' clause at end of list it should work fine. Or just swap order of "by users read" and "by self write".

ACLs is most tricky part of OpenLDAP configuration, so read slapd.access(5) carefully, and be sure that you completely understood how ACLs work before writing some non-trivial.

Fix ldap_add Constraint Violation (19) Error

How did you generate those LDIF files? structuralObjectClass is one of the internal values in OpenLDAP and user - even administrator - cannot normally modify those.

Either remove those structuralObjectClass lines from your LDIF or import the entries back with slapadd (I bet you generated the LDIF files with slapcat).

Best Answer

Related Solutions

LDAP (slapd) – Authenticated User Cannot Modify Self

Fix ldap_add Constraint Violation (19) Error

Related Topic