[Date Prev][Date Next]
Re: Setting up groups under OpenLDAP
Error code 50 means you have insufficient access. It's true, acl's are
applied to the user used to bind to LDAP. Make sure you are binding as a
user with the right acl to modify things.
On Mon, 17 Apr 2000, Dan wrote:
> Hi there,
> I read through the FAQ-o-matic on setting up groups for access control
> (http://www.openldap.org/faq/data/cache/52.html), but still seem to be
> having problems - if I connect to the server as a member of the
> "administrators" group, I still can't modify attributes of contexts other
> than the one I've binded as, and I can't create or delete any subcontexts.
> Perhaps its with my interpretation of the solution. Can anybody help me
> Here's my slapd.conf:
> database ldbm
> suffix "o=cascade, c=au"
> directory /usr/local/ldap/data
> rootdn "uid=root, o=cascade, c=au"
> rootpw (password)
> loglevel 4095
> access to *
> by self write
> by group="cn=Administrators,ou=groups,o=cascade,c=au" (do we need the
> o=cascade,c=au if the suffix is set to this above?)
> by dn=".+" read
> by * read
> Here's my tree structure, with some test entities added:
> | |
> | +-uid=dan
> | +-uid=another
> Now, the uid=dan entry has a userPassword attribute set to binary data, and
> I can successfully connect using this context and password, and view the
> entire tree structure.
> The cn=administrators has a the attribute member set to
> When I try to add the attribute "test" to uid=another, the log reports
> "acl_access_allowed: matched by clause #3 access denied, and error code 50
> is returned.
> Can anybody tell me where I'm going wrong here, or where some further
> documentation is to lead me down the right path?
> Thanks :)
> Dan Makovec
> e-mail firstname.lastname@example.org <mailto:email@example.com>
> ICQ 1398090
> Every day is a gift, that's why the present is so named