[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problem in slapd.conf
Tomasz Chmielewski <mangoo@wpkg.org> writes:
> I would like to allow a user to edit everything in a given subtree.
>
>
> For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
>
>
> I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
>
> onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389)
> conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128
> conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0
> conn=5 op=0 RESULT tag=97 err=0 text=
> conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com"
> conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
>
>
>
>
> My rule in slapd.conf is:
>
> access to dn="ou=Users,dc=example,dc=com"
> by dn="uid=Operator,ou=Users,dc=example,dc=com" write
> by dn="uid=Operator,ou=Users,dc=example,dc=com" read
This access to rule only allows access to dn.base=ou=Users..
the write privilege includes read, compare and auth privileges so the second
by clause is never checked and can be omited.
You should follow
http://www.openldap.org/doc/admin24/access-control.html
in order to have valid and authoritative documentation.
> I also tried to use:
>
> access to dn.subtree="ou=Users,dc=example,dc=com"
> ...
read man slapd.access(5)
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E