Hi,
I've had OpenLDAP set up for a while now such that users can create
groups and manage the groups that they've created. I've achieved this
by creating a new objectClass (called "managedGroup") which adds the
"manager" attribute, and then I've set up ACLs like this:
olcAccess: {14}to dn.base="ou=Groups,dc=whatever"
attrs=children
by users add
by * break
olcAccess: {15}to dn.subtree="ou=Groups,dc=whatever"
filter="(&(objectClass=posixGroup)(objectClass=managedGroup)(gidNumber>=1000))"
attrs=entry
by users add
by * break
olcAccess: {16}to dn.subtree="ou=Groups,dc=whatever"
attrs=cn,manager,memberUid,description
by set.exact="this/manager & user" write
by * break
I also have the "unique" overlay installed to prevent multiple groups
from having the same "cn" or "gidNumber".
I've got a request from users to be able to re-name their groups now
too. I tried changing "by users add" to "by users write" in clause
14, and added the "entry" attribute to "attrs=" in clause 16, but the
server is still not letting users re-name their groups. The output of
the log file looks like this:
slapd[44745]: => acl_get: [16] attr entry
slapd[44745]: => acl_mask: access to entry
"cn=test-1234,ou=Groups,dc=whatever", attr "entry" requested
slapd[44745]: => acl_mask: to all values by
"uid=g-guest,ou=people,dc=whatever", (=0)
slapd[44745]: <= check a_dn_pat: users
slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop)
slapd[44745]: <= acl_mask: [1] mask: add(=arscxd)
slapd[44745]: => slap_access_allowed: write access denied by add(=arscxd)
slapd[44745]: => access_allowed: no more rules
What am I missing?