[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Help Please

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: ACL Help Please
From: david stackis <david.stackis@isc.ucsb.edu>
Date: Wed, 02 Jul 2008 13:52:26 -0700
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <20080702090832.GN22497@tile.skills-1st.co.uk>

Great!!! it worked!!!
I know I have this setup fairly simple...but it's a good start.

Thanks so much, Andrew
Cheers~

--On Wednesday, July 2, 2008 10:08 AM +0100 Andrew Findlay
<andrew.findlay@skills-1st.co.uk> wrote:

> On Tue, Jul 01, 2008 at 02:05:00PM -0700, david stackis wrote:
> 
>> I added the ACL's you suggested. First I tried...
>>  access to "ou=addressbook,dc=Company,dc=com"
>>         by users write
>>         by * read
>> 
>>  access to *
>>         by * read
> 
> Sorry - that first line should have specified dn.subtree:
> 
> access to dn.subtree="ou=addressbook,dc=Company,dc=com"
> 	by users write
> 	by * read
> 
> access to *
> 	by * read
> 
> You should keep the 'access' keyword hard against the left margin:
> leading white space indicates continuation lines.
> 
>> When I used ldapadd I received this error...
>> 
>> ldapadd -D "cn=Elliott Smith,ou=addressbook,dc=Company,dc=com" -f
>> contact.ldif2
>> Enter bind password: 
>> adding new entry cn=Nick Drake,ou=addressbook,dc=Company,dc=com
>> Enter bind password: 
>> ldap_simple_bind: Invalid credentials
> 
> No surprise there - you did not load anything called "cn=Elliott
> Smith,ou=addressbook,dc=Company,dc=com" so you cannot authenticate as
> it.
> 
>> I then tried is using "ou=users" like this...
>> 
>> ldapadd -D "cn=Elliott Smith,ou=users,dc=Company,dc=com" -f contact.ldif2
>> Enter bind password: 
>> adding new entry cn=Nick Drake,ou=addressbook,dc=Company,dc=com
>> ldap_add: Insufficient access
>> ldap_add: additional info: no write access to parent
> 
> Fixed by new version above.
> 
>> # 
>> # Define individual users
>> # 
>> dn: cn=Elliott Smith,ou=users,dc=company,dc=com
>> objectclass: top
>> objectclass: person
>> cn: Elliott Smith
>> sn: Smith
>> userPassword: mysecret
>> uid: esmith
> 
> That won't load, as uid is not in the person object class: you need
> inetOrgPerson for that.
> 
> Andrew
> -- 
> -----------------------------------------------------------------------
>|                 From Andrew Findlay, Skills 1st Ltd                 |
>| Consultant in large-scale systems, networks, and directory services |
>|     http://www.skills-1st.co.uk/                +44 1628 782565     |
> -----------------------------------------------------------------------



-------------------
david stackis
uc santa barbara
phone: 805-893-8286
http://isc.ucsb.edu

References:
- Re: ACL Help Please
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: segfaults with syncrepl
Next by Date: Re: Chaining
Index(es):
- Chronological
- Thread