[Date Prev][Date Next] [Chronological] [Thread] [Top]

Stuck in ACL



Fellows 

I'm trying to grant write access to the subtree using the following access directive

access to dn.subtree="cn=OracleContext,ou=services,o=privat,c=de"
        by dn="cn=myusername,ou=users,o=privat,c=de" write
        by anonymous read
        by * auth

this rule is working fine but for just one user. If I add another 'by dn' like 

        by dn="cn=yourusername,ou=users,o=privat,c=de" write

It is working as well. WhoHoo !
That would be fine if I wouldn't expect a huge number of users. Another unaccepable issue would be that the ldap instance would need a restart. That's why I decided to grant access to the dn.subtree to a group (i.e. dba) and have tried the following directive

access to dn.regex="(.*,)cn=OracleContext,ou=services,o=privat,c=de"
        by group="cn=dba,ou=groups,o=privat,c=de" write
        by anonymous read

But whenever I try as a member of the dba group to write an entry underneath the cn=OracleContext,.... I'm getting the error message 

Enter LDAP Password:
adding new entry "cn=dgdb,cn=OracleContext,ou=services,o=privat,c=de"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

:-(

Any help is highly appreciated 
thank you
Wolf-Agathon