[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP Access controls



Hi all,

I've installed a LDAP server on my network against which all my users
can authenticate. They can even change their passwords via GUI or CLI
without any issue.

What I am trying to do now is allow each one of them to have an address
book in their subtree.

I created a subtree in each authentication relm that looks like this

ou=Contacts,uid=user,ou=People,dc=domain,dc=ca

Their is no problem with the rootdn adding entries below this, but I am
unable to get the user to be able to. In fact I can't seem to allow the
user to write anywhere. Even with the lone access rule:

access to * by * write

in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I
change this file)

I beleive the correct access rule for what I want is:
access to dn.children="ou=People,dc=domain,dc=ca" by self write

but that doesn't work either and I figured I'd ruduce the number of
unknowns by trying to give global write permission first.

A commandline test to create an entry yields this result:
darryl@bison:~$ ldapadd  -w ${NETPASS} -x -D
"uid=darryl,ou=People,dc=domain,dc=ca" -f ~/tmp
adding new entry
"cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca"
ldap_add: Insufficient access (50)
	additional info: no write access to parent


~/tmp looks like this:
dn: cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca
cn: test_test1
objectClass: inetOrgPerson
sn: testestestets



It's not an authentication issue because if NETPASS is wrong it returns:

ldap_bind: Invalid credentials (49)

Anyone have any ideas? There must be somthing simple I am missing, but
I'm stumped!

cheers,
darryl