[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL questions
At 04:59 PM 7/10/2006, MT wrote:
>I know this has a very simple solution, unfortunately ACL's are
>kicking my rear.
>I have what is turning out to be a company roster with names, email,
>telephone, address, and userpassword. What I'm trying to allow is
>just three users to authenticate and view "sensitive" info (i.e.
>telephone number, home address, password). Here's what I have so far
>for the ACLS:
>
>access to dn="ou=cmc,dc=cmcflex,dc=com"
>attrs="telephoneNumber","homePhone","userPassword"
> by users write
> by * auth
>
>access to *
> by * read
>
>Okay, so far anonymous just see the "basic" (non-sensitive) fields.
>If I:
>
>ldapsearch -x -D "cn=mtice[at]cmcflex.com,ou=cmc,dc=cmcflex,dc=com" - w secret
>
>I can view ALL info - which is what I want. So ultimately it now
>comes down to adding/deleting/modifying entries. I'm trying to add a
>test user using the command:
>
>ldapadd -x -w secret -D "cn=mtice[at] cmcflex.com,ou=cmc,dc=cmcflex.dc=com" -f test.ldif
>
>I get the error:
>
>ldap_add: Insufficient access (50)
> additional info: no write access to parent
>
>I suppose it means that just because I can write to
>ou=cmc,dc=cmcflex,dc=com - but not dc=cmcflex,dc=com.
More specifically, it means that the subject doesn't have write
access to the "children" pseudo-attribute of the target's parent.
>Is that
>correct or am I way off? I tried messing with the ACL's a bit but
>just completely screwed it up.
>
>I'm using open-ldap v. 2.2.27 on a Suse 10 box.
Historic stuff...
> If I need to post
>any additional info please let me know. Any help would be greatly
>appreciated.
>
>Thanks,
>Matt