Problem: Ldapacl are not accepted

Knowledge Base Community
, ,
#1

Problem:

An own ACL should be registered/saved in Ldap.

Investigation:

udm settings/ldapacl create --position cn=ldapacl,cn=univention,dc=schein,dc=me --set name=onboarding --set filename=onboarding --set data=$(bzip2 -c /root/my-onboarding.acl | base64 -w0) --set package=onboarding-custom-acl --set packageversion=2.2

root@master:~# cat /root/my-onboarding.acl

access to dn.subtree="cn=new,ou=customer,dc=schein,dc=me"
by dn.base="uid=rest,cn=technische-user,cn=intern,dc=schein,dc=me" manage
by * break
access to dn.subtree="cn=temporary,cn=univention,dc=bbc,dc=local"
by dn.base="uid=rest,cn=technische-user,cn=intern,dc=schein,dc=me" manage
by * break

listener.log

22.02.22 08:49:04.605 LDAP ( PROCESS ) : connecting to ldap://master.schein.ig:7389
22.02.22 08:49:04.609 LISTENER ( PROCESS ) : updating ‘cn=onboarding,cn=ldapacl,cn=univention,dc=schein,dc=ig’ command a
22.02.22 08:49:04.609 LISTENER ( PROCESS ) : ldap_extension: cn=onboarding,cn=ldapacl,cn=univention,dc=schein,dc=ig active? [‘FALSE’]
UNIVENTION_DEBUG_BEGIN : uldap.__open host=master.schein.ig port=7389 base=dc=schein,dc=ig
UNIVENTION_DEBUG_END : uldap.__open host=master.schein.ig port=7389 base=dc=schein,dc=ig
UNIVENTION_DEBUG_BEGIN : admin.handlers.simpleLdap._update_policies
UNIVENTION_DEBUG_END : admin.handlers.simpleLdap._update_policies
22.02.22 08:49:19.410 LISTENER ( ERROR ) : ldap_extension: slapd.conf validation failed:
.
UNIVENTION_DEBUG_BEGIN : uldap.__open host=master.schein.ig port=7389 base=dc=schein,dc=ig
UNIVENTION_DEBUG_END : uldap.__open host=master.schein.ig port=7389 base=dc=schein,dc=ig
UNIVENTION_DEBUG_BEGIN : admin.handlers.simpleLdap._update_policies
UNIVENTION_DEBUG_END : admin.handlers.simpleLdap._update_policies
22.02.22 08:49:19.464 LISTENER ( ERROR ) : ldap_extension: Removing new file /etc/univention/templates/files/etc/ldap/slapd.conf.d/onboarding.
22.02.22 08:49:33.693 LISTENER ( PROCESS ) : updating ‘cn=ldap_extension,cn=handler_messages,cn=univention,dc=schein,dc=ig’ command m
22.02.22 08:49:33.710 LISTENER ( PROCESS ) : updating ‘cn=ldap_extension,cn=handler_messages,cn=univention,dc=schein,dc=ig’ command m
20034
22.02.22 08:50:04.553 LDAP ( PROCESS ) : connecting to ldap://master.schein.ig:7389
22.02.22 08:50:04.556 LISTENER ( PROCESS ) : updating ‘cn=onboarding,cn=ldapacl,cn=univention,dc=schein,dc=ig’ command m
22.02.22 08:50:04.557 LISTENER ( PROCESS ) : ldap_extension: cn=onboarding,cn=ldapacl,cn=univention,dc=schein,dc=ig active? [‘TRUE’]
20034
22.02.22 08:50:26.398 LDAP ( PROCESS ) : connecting to ldap://master.schein.ig:7389
22.02.22 08:50:26.401 LISTENER ( PROCESS ) : updating ‘cn=onboarding,cn=ldapacl,cn=univention,dc=schein,dc=ig’ command d

Solution:

On the example of the ACLs you cannot see indentions. But they are mendatory.

access to dn.subtree="cn=new,ou=customer,dc=schein,dc=me"
     by dn.base="uid=rest,cn=technische-user,cn=intern,dc=schein,dc=me" manage
     by * break
access to dn.subtree="cn=temporary,cn=univention,dc=bbc,dc=local"
     by dn.base="uid=rest,cn=technische-user,cn=intern,dc=schein,dc=me" manage
     by * break
#2
Mastodon