Hello, list.
I'm facing a problem here: need to offer create/delete/modify
permissions to a groupOfNames so they can handle users, without allowing
them to handle other things (like groups, for example).
This is the organization of my ldap now:
+ dc=company, dc=net
+ ou=people, dc=company, dc=net
+ uid=champs, ou=people, dc=company, dc=net
- objectClass: inetOrgPerson
+ ou=groups, dc=company, dc=net
+ cn=admin, ou=groups, dc=company, dc=net
- objectClass: groupOfNames
- member: uid=champs, ou=people, dc=company, dc=net
And this is the permissions configuration from the slapd.conf:
--------
access to dn.children="dc=company,dc=net"
by group.exact="cn=admin,ou=Groups,dc=company,dc=net" write
by self write
by * none
--------
This is my .ldaprc:
----
URI ldap://ldap.company.net/
BASE dc=company, dc=net
BINDDN uid=lcampos, ou=people, dc=company, dc=net
----
I'm sure that I'm using the right user and should have access to the
permissions I've setted up:
----
champs:~/ldiff$ ldapwhoami -xW
Enter LDAP Password:
dn:uid=lcampos,ou=People,dc=company,dc=net
----
But when I try to use my newly-granted permissions to add an user, get
this:
----
champs:~/ldiff$ ldapadd -xWf apalinkas.ldiff
Enter LDAP Password:
adding new entry "uid=palinkas, ou=People, dc=company, dc=net"
ldap_add: Insufficient access (50)
additional info: no write access to parent
----
Maybe someone here could help me figure out what I'm doing wrong? I'm
pretty sure that all this is because I'm doing something stupid somewhere.