[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3894) Cannot add suffix entry over protocol
h.b.furuseth@usit.uio.no wrote:
>Full_Name: Hallvard B Furuseth
>Version: HEAD
>OS: Linux
>URL:
>Submission from: (NULL) (129.240.186.42)
>Submitted by: hallvard
>
>
>ldapadd (bdb/ldbm database's suffix entry) fails with noSuchObject.
>
>slapd -h ldapi:/// -d1 shows the error messages
> "bdb_add: suffix denied" from back-bdb/add.c line 261,
> "entry at root add denied" from back-ldbm/add.c line 212.
>The ldbm message even gets the wrong message for that, it
>should at least have shown the "suffix add denied" variant.
>
>slapd.conf:
> include ...etc/openldap/schema/core.schema
> allow update_anon
> access to * by * write
> database ldbm
> suffix "o=mysil"
> directory /tmp/db
>
>ldif:
> dn: o=mysil
> objectClass: organization
> o: mysil
>
>
Not sure this is an error (except fro the message, which could me more
clear). I think the intention is to allow only the rootdn to add the
context entry. In fact, if you have, for instance, 2 databases, and you
use one identity from one database to try and create the context entry
of the other database, even with appropriate ACLs, it fails for the same
reason
<slapd.conf>
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
access to *
by * read
database bdb
suffix "o=Example,c=US"
rootdn "cn=Manager,o=Example,c=US"
rootpw secret
access to *
by dn.exact="cn=Manager,dc=example,dc=com" write
by * read
</slapd.conf>
<cmd>
$ ldapmodify -x -H ldap://:9011 -D 'cn=manager,dc=example,dc=com' -w secret
dn: o=Example,c=US
objectClass: organization
o: Example
modifying entry "o=Example,c=US"
ldap_modify: No such object (32)
</cmd>
I suggest a more indicative message be returned in those cases.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497