Re: ACL question

[John Ziniti <jziniti@speakeasy.org>]

My guess here is that although the replicator has full
access to the entire tree under "ou=origin,dc=myorg,dc=org",
since it does not have access to it's own record, which is
not under that ou, it cannot read it's own record for the
purposes of authentication.

I bet if you cranked up the debug level on your slapd and
watched the conversation, you would see the query fail
when trying to auth the replicator.

James Shvarts wrote:

> Hello all,
>
> i have a the following context: ou=origin,dc=myorg,dc=org which 
> contains users whose dn's are expressed in this form: 
> uid=user1,ou=origin,dc=myorg,dc=org;
> uid=user2,ou=origin,dc=myorg,dc=org etc.
>
> i also have a "replicator" account with the following dn: 
> cn=replicator,dc=myorg,dc=org (while my rootdn is: 
> cn=admin,dc=myorg,dc=org). the replicator account should be able to 
> manipulate users within ou=origin,dc=myorg,dc=org in any possible way 
> (insert,update,delete,search,etc).
>
> i have a hard time coming up with a proper acl to allow relicator 
> account to manipulate user entries. i tried adding the statement below 
> to slapd.conf without any other acl rules. but if i try to retrieve 
> all users with ldapsearch (binding as cn=replicator,dc=myorg,dc=org) i 
> get: ldap_bind: Insufficient access (50).
>
> access to dn=".*,ou=origin,dc=myorg,dc=org"
>        by dn="cn=replicator,dc=nsdl,dc=org" write
>
> i would appreciate any help
> -- James