[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group access "write" in OpenLDAP 2.1.4

To: Michiko Nagara <chigu@fjh.fujitsu.com>
Subject: Re: group access "write" in OpenLDAP 2.1.4
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 13 Sep 2002 12:24:55 +0200
Cc: OpenLDAP-Software <openldap-software@OpenLDAP.org>
In-reply-to: <20020913171850.E062.CHIGU@fjh.fujitsu.com>
References: <20020913141443.E058.CHIGU@fjh.fujitsu.com> <1031902564.1802.14.camel@billy.demon.nl> <20020913171850.E062.CHIGU@fjh.fujitsu.com>

fre, 2002-09-13 kl. 11:44 skrev Michiko Nagara:

> thank you for your advice, but I have some troubles, yet.

> > You haven't said whether you've made a record for Fred Bloggs, but I
> > presume you have.

> Yes. I have created a record for fred blogs.

> And now, I have created a new record for michiko nagara.
> cn=michiko nagara,dc=example,dc=com

> > This is the relevant line from my ACL, it works :-) This is on a single
> > line:

> > by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
> > dnattr=member write

> I have changed my acl to the following.
 
> access to *
>        by group="cn=administrators,dc=example,dc=com" dnattr=member write  
>        by * auth

> I tried to modify dn "cn=fred blogs,dc=example,dc=com",
> I got a error mesage:
> ldap_modify: Insufficient access (50)

Try adding 'by dn="cn=michiko nagara,dc=example,dc=com" write' to that
ACL and try modifying as user michiko nagara. Then you have something to
compare to.

Do *not* try do modify 'dn="cn=fred blogs,dc=example,dc=com"', by the
way; modify some other attribute, or that DN will "disappear".

Errrm ... You are stopping and starting slapd each time you change an
ACL, are you not?

> And I tried to modify dn "cn=michiko nagara,dc=example,dc=com",
> I got the same error message.

> > Well, it works for me (with 2.1.4 /Berkeley 4.0.14). So, have you
> > indexed objectclass in slapd.conf (eq,pres), and have you run slapindex
> > (don't forget that the indices in the DB directory have to be able to be
> > read by the slapd user).

> I  have indexed objectclass in slapd.conf:
> index  objectClass  pres,eq
> and run slapindex.

> Then, I tried to search filter "(objectclass=*)", but I got
> no entries.

Are you using the right base in ldapsearch? You don't have to give a
base, as long as the HOST/BASE combination in /etc/ldap.conf is correct,
and BASE in that file matches SUFFIX in slapd.conf; otherwise you have
to specify the base in ldapsearch (man ldapsearch).

After all, as I said, it works for me, so why shouldn't it work for you?

Best,

Tony

-- 

Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel

Follow-Ups:
- Re: group access "write" in OpenLDAP 2.1.4
  - From: Michiko Nagara <chigu@fjh.fujitsu.com>

References:
- group access "write" in OpenLDAP 2.1.4
  - From: Michiko Nagara <chigu@fjh.fujitsu.com>
- Re: group access "write" in OpenLDAP 2.1.4
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: group access "write" in OpenLDAP 2.1.4
  - From: Michiko Nagara <chigu@fjh.fujitsu.com>

Prev by Date: Re: group access "write" in OpenLDAP 2.1.4
Next by Date: Re: group access "write" in OpenLDAP 2.1.4
Index(es):
- Chronological
- Thread