[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem in slapd.conf



On 04/09/2009 12:02, Tomasz Chmielewski wrote:
I would like to allow a user to edit everything in a given subtree.


For example, I would like to allow
uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in
*,ou=Users,dc=example,dc=com.


I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up
access for that user, but I keep getting "insufficient access".

onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389)
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com"
mech=SIMPLE ssf=0
conn=5 op=0 RESULT tag=97 err=0 text=
conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com"
conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry




My rule in slapd.conf is:

access to dn="ou=Users,dc=example,dc=com"
by dn="uid=Operator,ou=Users,dc=example,dc=com" write
by dn="uid=Operator,ou=Users,dc=example,dc=com" read


I also tried to use:

access to dn.subtree="ou=Users,dc=example,dc=com"
...

But then I'm not even able to connect.

Hi,

I recommend that you read the chapter on access control from the *OpenLDAP* admin guide:
http://www.openldap.org/doc/admin24/access-control.html

In this particular case, I expect that you have other access rules that may be blocking this one - remember that order is important, and the first rule matching on the <what> part will define the access level.

Help in setting up ACLs is available through two other means:

1) If you use the command line ldap* tools, they often output some additional info along with the error 50, like this:

ldap_delete: Insufficient access (50)
	additional info: no write access to parent

2) You can enable loglevel acl in your configuration file and check the logs to see which rules are being used.

I hope this helps. If you have further questions, don't hesitate to post back here with your full set of ACLs, and information on the version of slapd you're using.

Regards,
Jonathan