[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Setting up groups under OpenLDAP

To: "Benjamin de los Angeles Jr." <bench@surfshop.net.ph>
Subject: RE: Setting up groups under OpenLDAP
From: "Dan" <dan@fatcanary.com.au>
Date: Mon, 17 Apr 2000 19:06:16 +0930
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <Pine.LNX.4.10.10004171723120.14942-100000@mactan.surfshop.net.ph>

Hi there,

> Error code 50 means you have insufficient access. It's true, acl's are
> applied to the user used to bind to LDAP.  Make sure you are binding as a
> user with the right acl to modify things.

Yeah I bind as uid=dan, which should be a member of the cn=Administrators
group, which should be configured to have write access to all in slapd.conf
(see the original message).  Any ideas which acl setting I may have missed?

Cheers,
D.

> On Mon, 17 Apr 2000, Dan wrote:
>
> > Hi there,
> >
> > I read through the FAQ-o-matic on setting up groups for access control
> > (http://www.openldap.org/faq/data/cache/52.html), but still seem to be
> > having problems - if I connect to the server as a member of the
> > "administrators" group, I still can't modify attributes of
> contexts other
> > than the one I've binded as, and I can't create or delete any
> subcontexts.
> > Perhaps its with my interpretation of the solution.  Can anybody help me
> > here?
> >
> > Here's my slapd.conf:
> > -----------------------------------
> > database	ldbm
> > suffix		"o=cascade, c=au"
> > directory	/usr/local/ldap/data
> > rootdn		"uid=root, o=cascade, c=au"
> > rootpw		(password)
> >
> > loglevel		4095
> >
> > access to *
> > 	by self write
> > 	by group="cn=Administrators,ou=groups,o=cascade,c=au" (do
> we need the
> > o=cascade,c=au if the suffix is set to this above?)
> > 	by dn=".+" read
> > 	by * read
> >
> > -----------------------------------
> > Here's my tree structure, with some test entities added:
> >
> > o=cascade,c=au
> > |
> > +-ou=people
> > |  |
> > |  +-uid=dan
> > |  +-uid=another
> > |
> > +-ou=groups
> >    |
> >    +-cn=Administrators
> >
> > Now, the uid=dan entry has a userPassword attribute set to
> binary data, and
> > I can successfully connect using this context and password, and view the
> > entire tree structure.
> >
> > The cn=administrators has a the attribute member set to
> > "uid=dan,ou=people,o=cascade,c=au"
> >
> > When I try to add the attribute "test" to uid=another, the log reports
> > "acl_access_allowed: matched by clause #3 access denied, and
> error code 50
> > is returned.
> >
> > Can anybody tell me where I'm going wrong here, or where some further
> > documentation is to lead me down the right path?
> >
> > Thanks :)
> > D.
> >
> >
> > Dan Makovec
> > e-mail  dan@fatcanary.com.au <mailto:dan@fatcanary.com.au>
> > ICQ     1398090
> > Every day is a gift, that's why the present is so named
> >
> >
>
>

Follow-Ups:
- RE: Setting up groups under OpenLDAP
  - From: "Benjamin de los Angeles Jr." <bench@surfshop.net.ph>

References:
- Re: Setting up groups under OpenLDAP
  - From: "Benjamin de los Angeles Jr." <bench@surfshop.net.ph>

Prev by Date: Re: Setting up groups under OpenLDAP
Next by Date: RE: Setting up groups under OpenLDAP
Index(es):
- Chronological
- Thread