[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] Permsion on Parent

To: <phantom@ohiocounty.net>
Subject: Re: [ldap] Permsion on Parent
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 13 Mar 2003 21:42:50 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3E70E19A.3643A18D@ohiocounty.net>
References: <LISTMANAGER-1256221-281073-2003.03.10-21.22.28--phantom#ohiocounty.net@listserver.itd.umich.edu> <3E70D48D.168412D9@ohiocounty.net> <62135.81.72.89.40.1047586573.squirrel@webmail.sys-net.it> <3E70E19A.3643A18D@ohiocounty.net>

> Actually I tried it all ways. (*.*) (.*) (*.) (*)

It was for the sake of completeness; if you're trying to get
to write an entry under "ou=People,dc=example,dc=com", then
you need write access to "ou=People,dc=example,dc=com" to be
able to add a child; if you don't want to give your admin user
complete write permission to "ou=People,dc=example,dc=com",
you can give it permission to add children by using:

access to dn.exact="ou=People,dc=example,dc=com" attrs=children
    by dn="cn=peopleroot,dc=example,dc=com" write

and, if you can alleviate your "uid=.*" rdn requirement,
you can also do

access to dn.children="ou=People,dc=example,dc=com"
    by dn="cn=peopleroot,dc=example,dc=com" write

this way, you'll also save two regex; otherwise

access to dn="uid=.*,ou=People,dc=example,dc=com"
    by dn="cn=peopleroot,dc=example,dc=com" write

p.

>
> Pierangelo Masarati wrote:
>>
>> > Is there any docs that shows all this?
>> >
>> > Robert Canary wrote:
>> >>
>> >> I am trying create a record under ou=People,dc=example,dc=com
>> >>
>> >> I am using the dn"uid=newuser2add,ou=People,dc=example,dc=com
>> >>
>> >> If I run the ldif file with cn=root it gose fine, but I don'r want
>> that.  I am trying to setup a user specificly for adding new
>> people. So I set a user called "peopleroot" and added this
>> superuser in the acls as follows:
>> >>
>> >> access to dn="uid=*,ou=People,dc=example,dc=com"
>> >>         by dn="cn=peopleroot,dc=example,dc=com" write
>>
>> If you're using OpenLDAP software, this regex is incorrect;
>> it should be
>>
>> access to dn="uid=.*,ou=People,dc=example,dc=com"
>>         by dn="cn=peopleroot,dc=example,dc=com" write
>>
>> note the dot '.' before the star '*'.
>>
>> >>
>> >> But it still gives me:
>> >> ldap_add: Insuffiecent access
>> >> additional Info: nowrite access to parent
>> >> ldif_record()=50
>> >>
>> >> Can someone tell me what the proper dn for peopleroot should be to
>> allow write permissions
>> >>
>> >> thanks in advance
>> >> --
>> >> robert
>> >>
>> >> ---
>> >> You are currently subscribed to ldap@umich.edu as:
>> >> [phantom@ohiocounty.net] To unsubscribe send email to
>> >> ldap-request@umich.edu with the word UNSUBSCRIBE as the SUBJECT of
>> the message.
>>
>> --
>> Pierangelo Masarati
>> mailto:pierangelo.masarati@sys-net.it


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Re: [ldap] Permsion on Parent
  - From: Robert Canary <phantom@ohiocounty.net>
- Re: [ldap] Permsion on Parent
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: [ldap] Permsion on Parent
  - From: Robert Canary <phantom@ohiocounty.net>

Prev by Date: Re: [ldap] Permsion on Parent
Next by Date: Re: [ldap] Permsion on Parent
Index(es):
- Chronological
- Thread