[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL problem
- To: openldap-software@openldap.org
- Subject: ACL problem
- From: Guillaume CHARDIN <guillaume.chardin@gmail.com>
- Date: Sun, 12 Apr 2009 18:42:30 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=QdcyAOHGUCspRaWdeZ+H9LUiuSSXhG8kVwyKssqLo2Q=; b=QW4Y7W+ull54bPY89PohvwsUcy05bzEh2QiZmhV9r/46IQzYaaWa9gwaajiwUpO2Yg UI+UusgF3D15cWHTiJ1GdQliU61gRasvD/8ViquZknZEdrg4Zaknlj15mxOgal8Fyelv EO6G6bkgoZn4Okn3Ehb7r+gULo4GPf1/MdyWU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=OyTt64fru3Kyz9YwufXIe7wyrC0QSPUvCvHQmjtxGvqIUL/HIZvdCs3j9jLV4uZoQu oHKo3y3y/O6heQCBSrR47DuE51nxR/YpEmiT8E0lcCyyDbxvbFL9uCP2A3X367SA8xZb NyGruXz4XDPCfZ7lCk5Kgt4MgRNYf8uyfEebU=
Hi, i'm a begginer with openldap and I would like some help about
configuring a test directory (for now).
I tought I set up correctly the base of the directory, but I encounter
some issues with ACL to delegate rw access to some users/OU/groups.
While I can do anything on the directory with the 'rootdn', I wasnt
able to give rw access to another user (admintest) on the directory.
To achieve this tasks I use several tools : phpldapadmin, ldapadd,
ldapdelete. And everytime these tools return error about the rights of
the user I bind to de Directory.
here is an example :
]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W
ou=test,dc=brcorp,dc=local
Enter LDAP Password:
ldap_delete: Insufficient access (50)
additional info: no write access to parent
If i do the same with the rootdn user everything goes fine.
I use a static configuration on the server side so i have to
start/restart ldap to have new acl applied.
Below are my access rules written in my sldap.conf file
#in the global config :
access to * by * read
#in the "database" config :
access to dn.subtree="dc=brcorp,dc=local"
by dn.one="uid=admintest,dc=brcorp,dc=local" write
by self write
access to *
by dn.exact="cn=Manager,dc=brcorp,dc=local" read
by * none
I read on the admin documentation the global directive are applied
after the "database" access directives were read. So the 'access to *
by * read' is applied after 'access to dn.subtree="dc=brcorp,dc=local"
by dn.one="uid=admintest,dc=brcorp,dc=local" write' wich is the
important line for my user.
whats wrong with my configuration ?
Someone can tell me ?
Thanks for your help.
--
Guillaume