[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3894) Cannot add suffix entry over protocol

h.b.furuseth@usit.uio.no wrote:

>Full_Name: Hallvard B Furuseth
>Version: HEAD
>OS: Linux
>Submission from: (NULL) (
>Submitted by: hallvard
>ldapadd (bdb/ldbm database's suffix entry) fails with noSuchObject.
>slapd -h ldapi:/// -d1 shows the error messages
>  "bdb_add: suffix denied"   from back-bdb/add.c line 261,
>  "entry at root add denied" from back-ldbm/add.c line 212.
>The ldbm message even gets the wrong message for that, it
>should at least have shown the "suffix add denied" variant.
>  include ...etc/openldap/schema/core.schema
>  allow update_anon
>  access to * by * write
>  database ldbm
>  suffix "o=mysil"
>  directory /tmp/db
>  dn: o=mysil
>  objectClass: organization
>  o: mysil
Not sure this is an error (except fro the message, which could me more 
clear).  I think the intention is to allow only the rootdn to add the 
context entry.  In fact, if you have, for instance, 2 databases, and you 
use one identity from one database to try and create the context entry 
of the other database, even with appropriate ACLs, it fails for the same 

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          secret
access to *
        by * read

database        bdb
suffix          "o=Example,c=US"
rootdn          "cn=Manager,o=Example,c=US"
rootpw          secret
access to *
        by dn.exact="cn=Manager,dc=example,dc=com" write
        by * read

$ ldapmodify -x -H ldap://:9011 -D 'cn=manager,dc=example,dc=com' -w secret
dn: o=Example,c=US
objectClass: organization
o: Example

modifying entry "o=Example,c=US"
ldap_modify: No such object (32)

I suggest a more indicative message be returned in those cases.


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497