[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error modifying uid or dn with ldapmodify (Naming violation (64) value of naming attribute 'uid' is not present in entry)

To: darkxer0x <darkxer0x@gmail.com>
Subject: Re: Error modifying uid or dn with ldapmodify (Naming violation (64) value of naming attribute 'uid' is not present in entry)
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 17 Nov 2008 21:55:21 +0100
Cc: openldap-software@openldap.org
In-reply-to: <6cde2fa80811170937o1d46d1efq1b555229794e015c@mail.gmail.com>
References: <2c8076820811161800m41649980n1bc977c92af56fb3@mail.gmail.com> <hbf.20081117cu96@bombur.uio.no> <6cde2fa80811170937o1d46d1efq1b555229794e015c@mail.gmail.com>

darkxer0x writes:
> Thank you very much.
> But, I have another problem, what is the ACL to permit "seff" to
> change dn?

"man slapd.access" says:

    The modrdn operation requires write (=w) privileges on the
    pseudo-attribute entry of the entry whose relative DN is being
    modified, write (=w) privileges on the pseudo-attribute children of
    the old and new entry's parents, and write (=w) privileges on the
    attributes that are present in the new relative DN.  Write (=w)
    privileges are also required on the attributes that are present in
    the old relative DN if deleteoldrdn is set to 1.

Thus you'll need something like

    # hide passwords, but allow users to update their own
    access to attrs=userPassword by self =wx by * auth
    # allow users to add/delete/move entries directly below dc=dominio
    access to dn="dc=dominio" attrs=children
           by dn.onelevel="dc=dominio" write
    # allow users to write their own entries and everyone to read
    # everything else
    access to *  by self write   by * read

> I''ve tried in slapd.conf:
> access to dn.base="" by self write

This tries to grant access to the single entry with DN "", which is not
a user entry but a special entry that describes the LDAP server.
Also it doesn't grant any access to anyone but 'self'.

Maybe you meant
      access to *   by self write   by * read
or something like
	access to dn.subtree=<some DN>   by self write   by * read

> This doesn't work

It would help if you said which error message you receive (where slapd
tries to _tell_ you why it failed), but here is a guess:

> I've read some howto about ldapmodrdn and all of them say: -D
> "Directory Manager",

Hopefully they don't, since that's not a valid DN.  It would
be something like
   -D "cn=Directory Manager,dc=dominio"

assuming your slapd.conf includes something like

database bdb
suffix "dc=dominio"
rootdn "cn=Directory Manager,dc=dominio"
rootpw <some password, possibly encrypted with sbin/slappasswd>

A database's rootdn is a special DN you can bind as which
has full access to the database regardless of access control,
and which does not need to exist in the database - which is
why you can specify its password in slapd.conf instead.

-- 
Hallvard

References:
- Error modifying uid or dn with ldapmodify (Naming violation (64) value of naming attribute 'uid' is not present in entry)
  - From: "Alberto GD" <darkxer0x@esdebian.org>
- Re: Error modifying uid or dn with ldapmodify (Naming violation (64) value of naming attribute 'uid' is not present in entry)
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: Error modifying uid or dn with ldapmodify (Naming violation (64) value of naming attribute 'uid' is not present in entry)
Next by Date: Rewriting entry dns
Index(es):
- Chronological
- Thread