Re: LDAP Access controls

[Jonathan Clarke <jonathan@phillipoux.net>]

Hi,

On 07/07/2009 17:13, Darryl Moore wrote:
> Hi all,
>
> I've installed a LDAP server on my network against which all my users
> can authenticate. They can even change their passwords via GUI or CLI
> without any issue.
>
> What I am trying to do now is allow each one of them to have an
> address book in their subtree.
>
> I created a subtree in each authentication relm that looks like this
>
> ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
>
> Their is no problem with the rootdn adding entries below this, but I
> am unable to get the user to be able to. In fact I can't seem to
> allow the user to write anywhere. Even with the lone access rule:
>
> access to * by * write
>
> in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I
>  change this file)

I presume you mean slapd.conf file, not ldap.conf.

When testing this, make sure to put this rule as the *first* access rule
in the slapd.conf file.

Order is important in ACLs, since the first matching rule will apply. So
if your "access to * by * write" is not the first, it probably is never 
reached.

> I beleive the correct access rule for what I want is: access to
> dn.children="ou=People,dc=domain,dc=ca" by self write

A quick excerpt from the admin guide:
> To add or delete an entry, the subject must have write access to the
> entry's entry attribute AND must have write access to the entry's
> parent's children attribute.

Be careful of "self" as well, it only represents the current user's
entry, not it's children/etc.

Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------