[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] Permsion on Parent

To: Robert Canary <phantom@ohiocounty.net>
Subject: Re: [ldap] Permsion on Parent
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 13 Mar 2003 13:11:41 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3E70E19A.3643A18D@ohiocounty.net>
References: <LISTMANAGER-1256221-281073-2003.03.10-21.22.28--phantom#ohiocounty.net@listserver.itd.umich.edu> <3E70D48D.168412D9@ohiocounty.net> <62135.81.72.89.40.1047586573.squirrel@webmail.sys-net.it>

[[Cc list trimmed, no need to both the general LDAP list with
OpenLDAP-specific issues]]

Well, the other thing is that regex
   "uid=.*,ou=People,dc=example,dc=com"

doesn't "ou=People,dc=example,dc=com", the parent of the
target entry, hence the error "no write to parent".

To add an entry, the subject not only needs write access
to the entry, but write access to the "children" attribute of
its parent.

This is discussed in the Admin Guide, FAQ, and in the
archives.

At 11:52 AM 3/13/2003, Robert Canary wrote:
>Actually I tried it all ways. (*.*) (.*) (*.) (*)
>
>Pierangelo Masarati wrote:
>> 
>> > Is there any docs that shows all this?
>> >
>> > Robert Canary wrote:
>> >>
>> >> I am trying create a record under ou=People,dc=example,dc=com
>> >>
>> >> I am using the dn"uid=newuser2add,ou=People,dc=example,dc=com
>> >>
>> >> If I run the ldif file with cn=root it gose fine, but I don'r want
>> >> that.  I am trying to setup a user specificly for adding new people.
>> >> So I set a user called "peopleroot" and added this superuser in the
>> >> acls as follows:
>> >>
>> >> access to dn="uid=*,ou=People,dc=example,dc=com"
>> >>         by dn="cn=peopleroot,dc=example,dc=com" write
>> 
>> If you're using OpenLDAP software, this regex is incorrect;
>> it should be
>> 
>> access to dn="uid=.*,ou=People,dc=example,dc=com"
>>         by dn="cn=peopleroot,dc=example,dc=com" write
>> 
>> note the dot '.' before the star '*'.
>> 
>> >>
>> >> But it still gives me:
>> >> ldap_add: Insuffiecent access
>> >> additional Info: nowrite access to parent
>> >> ldif_record()=50
>> >>
>> >> Can someone tell me what the proper dn for peopleroot should be to
>> >> allow write permissions
>> >>
>> >> thanks in advance
>> >> --
>> >> robert
>> >>
>> >> ---
>> >> You are currently subscribed to ldap@umich.edu as:
>> >> [phantom@ohiocounty.net] To unsubscribe send email to
>> >> ldap-request@umich.edu with the word UNSUBSCRIBE as the SUBJECT of the
>> >> message.
>> 
>> --
>> Pierangelo Masarati
>> mailto:pierangelo.masarati@sys-net.it

References:
- Re: [ldap] Permsion on Parent
  - From: Robert Canary <phantom@ohiocounty.net>
- Re: [ldap] Permsion on Parent
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: [ldap] Permsion on Parent
  - From: Robert Canary <phantom@ohiocounty.net>

Prev by Date: Re: [ldap] Permsion on Parent
Next by Date: Re: compilling saslAuthd with LDAP
Index(es):
- Chronological
- Thread