Re: acl problem Insufficient access

[Tony Earnshaw <tonni@billy.demon.nl>]

Matteo Mancini wrote:

> But when I try to delete , add or modify some entry in the child domain 
> with his own cn=master I recive the error:
> Result: Insufficient access (50)
> Additional info: entry modify failed
>
> A sample command could be:
> ldapdelete -x -D"cn=master,ou=admingroup,o=vuserdoamim1,o=domain, 
> dc=exemple,dc=net"  \
> -w secret  "cn=authouser=admingroup,o=vuserdoamim1,o=domain, 
> dc=exemple,dc=net"
>
> Where' s the mistake????????????

This should be a multiFAQ question. It's been around for a while.

1: Your design is exemplary! I've copied it to my HOWTO Openldap map;

2: This is a "chicken and egg" situation. master cannot gain rights to 
subtrees unless he has rights to the parent(s) as well. So begin at 
supermaster, he will have rights, and make under-supermasters all the 
way down in the tree to see what happens and give them rights. How you 
do this depends on the software version you are using. I can't give 
specific advice since you, like many, refuse to say with which software 
version you're working. ("Openldap" isn't sufficient.) However, stick to 
regexps and be prepared to use more than a single one for each ACL.

> PS:who know a good ldap's acl howto

There wasn't one when I searched last. The archives for this list are 
pretty good. Then there's Adam Williams' standard work 
(ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf.) Hints are both in 
'man 5 slapd.access' (with my version) and the site Admin manual for 2.1.

Best,

Tony

--
Tony Earnshaw

http://www.billy.demon.nl
Mail: tonni@billy.demon.nl