[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question



My guess here is that although the replicator has full
access to the entire tree under "ou=origin,dc=myorg,dc=org",
since it does not have access to it's own record, which is
not under that ou, it cannot read it's own record for the
purposes of authentication.

I bet if you cranked up the debug level on your slapd and
watched the conversation, you would see the query fail
when trying to auth the replicator.

James Shvarts wrote:

Hello all,

i have a the following context: ou=origin,dc=myorg,dc=org which contains users whose dn's are expressed in this form: uid=user1,ou=origin,dc=myorg,dc=org;
uid=user2,ou=origin,dc=myorg,dc=org etc.


i also have a "replicator" account with the following dn: cn=replicator,dc=myorg,dc=org (while my rootdn is: cn=admin,dc=myorg,dc=org). the replicator account should be able to manipulate users within ou=origin,dc=myorg,dc=org in any possible way (insert,update,delete,search,etc).

i have a hard time coming up with a proper acl to allow relicator account to manipulate user entries. i tried adding the statement below to slapd.conf without any other acl rules. but if i try to retrieve all users with ldapsearch (binding as cn=replicator,dc=myorg,dc=org) i get: ldap_bind: Insufficient access (50).

access to dn=".*,ou=origin,dc=myorg,dc=org"
       by dn="cn=replicator,dc=nsdl,dc=org" write

i would appreciate any help
-- James