Re: acl problem Insufficient access

[Matteo Mancini <neonx@libero.it>]

HI

> 2: This is a "chicken and egg" situation. master cannot gain rights to 
> subtrees unless he has rights to the parent(s) as well. So begin at 
> supermaster, he will have rights, and make under-supermasters all the 
> way down in the tree to see what happens and give them rights. How you 
> do this depends on the software version you are using. I can't give 
> specific advice since you, like many, refuse to say with which 
> software version you're working. ("Openldap" isn't sufficient.) 
> However, stick to regexps and be prepared to use more than a single 
> one for each ACL. 

I' using openldap v. 2.0.23 on a woody

access to attribute=userPassword
by dn="cn=admin,dc=exemple,dc=net" write
by dn="cn=authuser,dc=exemple,dc=net" read
by anonymous auth
by self write
by * none


this is my acl file


access to attribute=userPassword
by dn="cn=admin,dc=exemple,dc=net" write
by dn="cn=authuser,dc=exemple,dc=net" read
by anonymous auth
by self write
by * none

# The admin dn has full write access
access to *
by dn="cn=admin,dc=exemple,dc=net" write

# Virual mail domain access (Courier-ldap)
access to dn=".*,o=([^,]+),o=hosting,dc=exemple,dc=net"
attr=userPassword
by self write
by group/organizationalRole/roleOccupant=\
"cn=postmaster,o=$1,o=hosting,dc=exemple,dc=net" write
by anonymous auth
by * none

# Master user access
access to dn=".*,ou=admingroup,o=([^,]+),o=domain,,dc=exemple,dc=net"
by dn="cn=master, ou=admingroup, o=$1, o=domain, dc=exemple,dc=net" write



> > PS:who know a good ldap's acl howto
>
>
> There wasn't one when I searched last. The archives for this list are 
> pretty good. Then there's Adam Williams' standard work 
> (ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf.) Hints are both in 
> 'man 5 slapd.access' (with my version) and the site Admin manual for 2.1.

I've just read it.....but it not resolved my doubts