[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP Access controls
Hi all,
I've installed a LDAP server on my network against which all my users
can authenticate. They can even change their passwords via GUI or CLI
without any issue.
What I am trying to do now is allow each one of them to have an address
book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am
unable to get the user to be able to. In fact I can't seem to allow the
user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I
change this file)
I beleive the correct access rule for what I want is:
access to dn.children="ou=People,dc=domain,dc=ca" by self write
but that doesn't work either and I figured I'd ruduce the number of
unknowns by trying to give global write permission first.
A commandline test to create an entry yields this result:
darryl@bison:~$ ldapadd -w ${NETPASS} -x -D
"uid=darryl,ou=People,dc=domain,dc=ca" -f ~/tmp
adding new entry
"cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca"
ldap_add: Insufficient access (50)
additional info: no write access to parent
~/tmp looks like this:
dn: cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca
cn: test_test1
objectClass: inetOrgPerson
sn: testestestets
It's not an authentication issue because if NETPASS is wrong it returns:
ldap_bind: Invalid credentials (49)
Anyone have any ideas? There must be somthing simple I am missing, but
I'm stumped!
cheers,
darryl