[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Stuck in ACL
- To: openldap-software@openldap.org
- Subject: Stuck in ACL
- From: Wolf-Agathon Schaly <w-a.schaly@arcor.de>
- Date: Wed, 15 Apr 2009 13:50:24 +0200 (CEST)
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1239796224; bh=ljGNT/zuLZVMtadce6NHAxgN0QqY5lTBveyYd0VUoYc=; h=Message-ID:Date:From:To:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding; b=jpXgmtYfBzuftIw3aIrlFwW97EhWVsZabD+McCkw+3kjrRIqpWZ8K4gm0/YdJ5nlZ cdEH5l2d2rsct/eH3o2LdYFUyzeDqnLx+gB4q0l75zz2ft5S076Od/L3Zq6RzzOjMI Y+uBLjnEaB4kk21sf//jzVbr1FQxpTs8dMBQFmGg=
Fellows
I'm trying to grant write access to the subtree using the following access directive
access to dn.subtree="cn=OracleContext,ou=services,o=privat,c=de"
by dn="cn=myusername,ou=users,o=privat,c=de" write
by anonymous read
by * auth
this rule is working fine but for just one user. If I add another 'by dn' like
by dn="cn=yourusername,ou=users,o=privat,c=de" write
It is working as well. WhoHoo !
That would be fine if I wouldn't expect a huge number of users. Another unaccepable issue would be that the ldap instance would need a restart. That's why I decided to grant access to the dn.subtree to a group (i.e. dba) and have tried the following directive
access to dn.regex="(.*,)cn=OracleContext,ou=services,o=privat,c=de"
by group="cn=dba,ou=groups,o=privat,c=de" write
by anonymous read
But whenever I try as a member of the dba group to write an entry underneath the cn=OracleContext,.... I'm getting the error message
Enter LDAP Password:
adding new entry "cn=dgdb,cn=OracleContext,ou=services,o=privat,c=de"
ldap_add: Insufficient access (50)
additional info: no write access to parent
:-(
Any help is highly appreciated
thank you
Wolf-Agathon