Problems with Address Book ACL (OpenLDAP)

Kevin 2012-07-25 14:21:31 UTC #1

Hello,

I’m using:
Ubuntu 12.04 LTS Server
OpenLDAP 2.4
eGroupWare 1.8

I’m having problems getting the address book to work. User accounts and groups are stored in LDAP and the contacts in the address book should be stored in LDAP, too. Unfortunately, I couldn’t find a solution in the forums. We also bought the manual but I couldn’t find a solution there either. When I add a new user account the corresponding entry is being made (and I am able to edit it) in the address book by eGroupWare but when I’m trying to add a contact to the address book I’m getting the following error:
Error saving the contact !!! Insufficient access: so_ldap: 521.

And this is what I get from the LDAP log:
slapd[984]: connection_input: conn=1040 deferring operation: binding

I assume there is something wrong with my ACL but I can’t figure out what the problem is. I’ve tried every suggestion I could find in the forums but nothing seems to work. BTW when I make an entry to the address book via ldapadd I can see the contact in the eGroupWare’s address book but I’m not able to edit it. I can neither save an entry in the personal nor in the group address books which are being created by eGroupware without any problems as well as the ou’s for the addressbook (ou=contacts, ou=shared and ou=personal) At the moment I’m using this ACL:

# Access to users personal addressbooks

# allow read of addressbook by owner and egwadmin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=MY,dc=DOMAIN$"
        attrs=entry
        by dn.regex="uid=$1,ou=accounts,o=$2,dc=MY,dc=DOMAIN" read
        by dn.regex="cn=egwadmin,o=$2,dc=MY,dc=DOMAIN" write
        by users none

# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=MY,dc=DOMAIN$"
        attrs=children
        by dn.regex="uid=$1,ou=accounts,o=$2,dc=MY,dc=DOMAIN" write
        by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=MY,dc=DOMAIN$"
        attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
        by dn.regex="uid=$1,ou=accounts,o=$2,dc=MY,dc=DOMAIN" write
        by users none

# Access to group addressbooks: with just posixGroup (case a) above)

# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=MY,dc=DOMAIN$"
        attrs=entry 
        by set.expand="user/uid & [cn=$1,ou=groups,o=$2,dc=MY,dc=DOMAIN]/memberUid" read
        by dn.regex="cn=egwadmin,o=$2,dc=MY,dc=DOMAIN" write
        by users none
        
# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=MY,dc=DOMAIN$"
        attrs=children
        by set.expand="user/uid & [cn=$1,ou=groups,o=$2,dc=MY,dc=DOMAIN]/memberUid" write
        by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=MY,dc=DOMAIN$"
        attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
        by set.expand="user/uid & [cn=$1,ou=groups,o=$2,dc=MY,dc=DOMAIN]/memberUid" write
        by users none

I am using these schemas in my slapd.conf:

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/evolutionOrgPerson
include         /etc/ldap/schema/mozillaAbPersonAlpha
include         /etc/ldap/schema/inetorgperson.schema

And this is the ACL I use in my slapd.conf:

access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by *auth

access to attrs=shadowLastChange
        by self write
        by * read

include /etc/ldap/acl_addressbook.conf
# The admin dn has full write access, everyone else
# can read everything.

access to *
        by * read

And this is what slapcat produces:

dn: dc=MY,dc=DOMAIN
objectClass: top
objectClass: dcObject
objectClass: organization
o: MY DOMAIN GmbH
dc: MY DOMAIN
structuralObjectClass: organization
entryUUID: aa74ff92-69c7-1031-8fd6-bbf9e5af456f
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104001Z
entryCSN: 20120724104001.302476Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724104001Z

dn: cn=admin,dc=MY,dc=DOMAIN
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEfdfF9SzcyfTXRierewSU54azJ0Lzdsaflhö7987wFJSy9FNWo=
structuralObjectClass: organizationalRole
entryUUID: aa79d382-69c7-1031-8fd7-bbf9e5af456f
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104001Z
entryCSN: 20120724104001.334115Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724104001Z

dn: ou=accounts,dc=MY,dc=DOMAIN
objectClass: top
objectClass: organizationalUnit
ou: accounts
structuralObjectClass: organizationalUnit
entryUUID: f2548fee-69c7-1031-995e-c7422a7d28bd
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104201Z
entryCSN: 20120724104201.885859Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724104201Z

dn: ou=groups,dc=MY,dc=DOMAIN
objectClass: top
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: f2559bb4-69c7-1031-995f-c7422a7d28bd
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104201Z
entryCSN: 20120724104201.892717Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724104201Z

dn: cn=Default,ou=groups,dc=MY,dc=DOMAIN
objectClass: top
objectClass: posixGroup
gidNumber: 17
cn: Default
structuralObjectClass: posixGroup
entryUUID: 2db5f046-69c8-1031-901b-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104341Z
memberUid: admin
memberUid: test
memberUid: egwadmin
entryCSN: 20120724120042.839778Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724120042Z

dn: cn=Admins,ou=groups,dc=MY,dc=DOMAIN
objectClass: top
objectClass: posixGroup
gidNumber: 18
cn: Admins
structuralObjectClass: posixGroup
entryUUID: 2dd254a2-69c8-1031-901c-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104341Z
memberUid: admin
memberUid: test
memberUid: egwadmin
entryCSN: 20120724105415.133954Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724105415Z

dn: uid=admin,ou=accounts,dc=MY,dc=DOMAIN
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 30
uid: admin
gidNumber: 18
givenName: MY
sn: admin
mail: admin@mydomain.com
cn: MY admin
userPassword:: XB0fSQ2JdLbmhXYThLWHRFcVFZtVTlCV2Y0NTNCYk1tbC40SXJlSi5jZWxSN0FJOFJiUG84dkt3MTdH
 NnVyWlJVRi4=
shadowLastChange: 15545
homeDirectory: /dev/null
structuralObjectClass: inetOrgPerson
entryUUID: 603b8bb6-69c8-1031-901d-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104506Z
entryCSN: 20120724104506.271289Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724104506Z

dn: uid=test,ou=accounts,dc=MY,dc=DOMAIN
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: 6586RFLJHFLJFlgflfljffhgDKCKDDKHDkh
shadowLastChange: 15545
homeDirectory: /dev/null
structuralObjectClass: inetOrgPerson
entryUUID: e8e95b5a-69c8-1031-901e-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104855Z
uidNumber: 31
gidNumber: 19
uid: test
cn: test test
givenName: test
sn: test
o: MY DOMAIN GmbH
ou: Tech
title: Tester
street: Musterallee
l: Musterstadt
st: Germany
postalCode: 00000
mail: test@mydomain.com
displayName: MY DOMAIN GmbH: test, test 
entryCSN: 20120724154149.152762Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724154149Z

dn: cn=Tech,ou=groups,dc=MY,dc=DOMAIN
objectClass: top
objectClass: posixGroup
gidNumber: 19
cn: Tech
structuralObjectClass: posixGroup
entryUUID: 02feffcc-69c9-1031-901f-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724104939Z
memberUid: test
entryCSN: 20120724120042.872230Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724120042Z

dn: ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalUnit
ou: contacts
structuralObjectClass: organizationalUnit
entryUUID: 16128fc0-69c9-1031-9020-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724105011Z
entryCSN: 20120724105011.348027Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724105011Z

dn: ou=personal,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalUnit
ou: personal
structuralObjectClass: organizationalUnit
entryUUID: 161307c0-69c9-1031-9021-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724105011Z
entryCSN: 20120724105011.351099Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724105011Z

dn: cn=admin,ou=personal,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalRole
cn: admin
structuralObjectClass: organizationalRole
entryUUID: 16137cbe-69c9-1031-9022-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724105011Z
entryCSN: 20120724105011.354093Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724105011Z

dn: uid=egwadmin,ou=accounts,dc=MY,dc=DOMAIN
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uidNumber: 32
uid: egwadmin
gidNumber: 18
givenName: egw
sn: admin
mail: egw@mydomain.com
cn: egw admin
userPassword:: e2NyeXB0fSQ2JExnUXFFZTU5bk1FQ1dxb2skY0<email>kuhlmann7ud1NYejl4UzdjY05ON1dYbERdWFJaWg2L0JTSFlORThXU0N6UWdMY2dzMW1PbDBKVUpsLnVKbzBsUVNVOGRHQXRjbEZmN3FLVkN5
 dWhyR1cvSjA=
shadowLastChange: 15545
homeDirectory: /dev/null
structuralObjectClass: inetOrgPerson
entryUUID: a7601e16-69c9-1031-9024-059fbec48171
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724105415Z
entryCSN: 20120724105415.125929Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724105415Z

dn: cn=test,ou=personal,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalRole
cn: test
structuralObjectClass: organizationalRole
entryUUID: e1b9bfe0-69c9-1031-9d35-731ba8def5a6
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724105553Z
entryCSN: 20120724105553.021193Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724105553Z

dn: cn=egwadmin,ou=personal,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalRole
cn: egwadmin
structuralObjectClass: organizationalRole
entryUUID: a03b8f84-69ca-1031-80e1-99ebc7ff3e96
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724110112Z
entryCSN: 20120724110112.639019Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724110112Z

dn: ou=shared,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalUnit
ou: shared
structuralObjectClass: organizationalUnit
entryUUID: a9bc8ea0-69ca-1031-80e3-99ebc7ff3e96
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724110128Z
entryCSN: 20120724110128.583915Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724110128Z

dn: cn=admins,ou=shared,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalRole
cn: admins
structuralObjectClass: organizationalRole
entryUUID: a9bea4d8-69ca-1031-80e4-99ebc7ff3e96
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724110128Z
entryCSN: 20120724110128.597591Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724110128Z

dn: cn=eGroupWare,dc=MY,dc=DOMAIN
cn: eGroupWare
objectClass: person
sn: eGroupWare
userPassword:: QzBzdGFgsvgdSFssMWkDNhIQ==
structuralObjectClass: person
entryUUID: 7e22aaac-69cc-1031-9de8-b51da2e26573
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724111434Z
entryCSN: 20120724111434.426801Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724111434Z

dn: cn=tech,ou=shared,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalRole
cn: tech
structuralObjectClass: organizationalRole
entryUUID: 58221828-69dc-1031-8e91-9b9c712fe188
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724130802Z
entryCSN: 20120724130802.617311Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724130802Z

dn: cn=default,ou=shared,ou=contacts,dc=MY,dc=DOMAIN
objectClass: organizationalRole
cn: default
structuralObjectClass: organizationalRole
entryUUID: a40f7c9e-69dc-1031-9c6d-df4ce5d67755
creatorsName: cn=admin,dc=MY,dc=DOMAIN
createTimestamp: 20120724131010Z
entryCSN: 20120724131010.002205Z#000000#000#000000
modifiersName: cn=admin,dc=MY,dc=DOMAIN
modifyTimestamp: 20120724131010Z

I also tried to use the rfc2307bis schema without any success. I’ve already spent two weeks trying to solve this problem.
Please let my know if you’ve got any ideas. I’m really stuck here.

Cheers,
Kevin

slsd 2015-03-26 14:52:10 UTC #2

Were you ever able to solve the problem?

I have almost the exact same issue just with Centos 6. It seems I am unable to create contacts as well due to insufficient permissions. I have an ongoing post here as well.