[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up groups under OpenLDAP

To: Dan <dan@fatcanary.com.au>
Subject: Re: Setting up groups under OpenLDAP
From: "Benjamin de los Angeles Jr." <bench@surfshop.net.ph>
Date: Mon, 17 Apr 2000 17:26:56 +0800 (CST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <NDBBJHPHJMPNFPEJOKGOCENPCAAA.dan@fatcanary.com.au>

Error code 50 means you have insufficient access. It's true, acl's are
applied to the user used to bind to LDAP.  Make sure you are binding as a
user with the right acl to modify things.

On Mon, 17 Apr 2000, Dan wrote:

> Hi there,
> 
> I read through the FAQ-o-matic on setting up groups for access control
> (http://www.openldap.org/faq/data/cache/52.html), but still seem to be
> having problems - if I connect to the server as a member of the
> "administrators" group, I still can't modify attributes of contexts other
> than the one I've binded as, and I can't create or delete any subcontexts.
> Perhaps its with my interpretation of the solution.  Can anybody help me
> here?
> 
> Here's my slapd.conf:
> -----------------------------------
> database	ldbm
> suffix		"o=cascade, c=au"
> directory	/usr/local/ldap/data
> rootdn		"uid=root, o=cascade, c=au"
> rootpw		(password)
> 
> loglevel		4095
> 
> access to *
> 	by self write
> 	by group="cn=Administrators,ou=groups,o=cascade,c=au" (do we need the
> o=cascade,c=au if the suffix is set to this above?)
> 	by dn=".+" read
> 	by * read
> 
> -----------------------------------
> Here's my tree structure, with some test entities added:
> 
> o=cascade,c=au
> |
> +-ou=people
> |  |
> |  +-uid=dan
> |  +-uid=another
> |
> +-ou=groups
>    |
>    +-cn=Administrators
> 
> Now, the uid=dan entry has a userPassword attribute set to binary data, and
> I can successfully connect using this context and password, and view the
> entire tree structure.
> 
> The cn=administrators has a the attribute member set to
> "uid=dan,ou=people,o=cascade,c=au"
> 
> When I try to add the attribute "test" to uid=another, the log reports
> "acl_access_allowed: matched by clause #3 access denied, and error code 50
> is returned.
> 
> Can anybody tell me where I'm going wrong here, or where some further
> documentation is to lead me down the right path?
> 
> Thanks :)
> D.
> 
> 
> Dan Makovec
> e-mail  dan@fatcanary.com.au <mailto:dan@fatcanary.com.au>
> ICQ     1398090
> Every day is a gift, that's why the present is so named
> 
>

Follow-Ups:
- RE: Setting up groups under OpenLDAP
  - From: "Dan" <dan@fatcanary.com.au>

References:
- Setting up groups under OpenLDAP
  - From: "Dan" <dan@fatcanary.com.au>

Prev by Date: Setting up groups under OpenLDAP
Next by Date: RE: Setting up groups under OpenLDAP
Index(es):
- Chronological
- Thread