[Date Prev][Date Next] [Chronological] [Thread] [Top]

Creating branches using ACIs: Insufficient access ('entry' access to a non-existing object)



I'm trying to create an object just below (one of) my top 
DNs.

The object I try to create looks like:
----- s n i p -----
dn: o=Testing,c=SE
o: Testing
objectClass: organization
objectClass: phpQLAdminBranch
----- s n i p -----

The ACIs (in c=SE) look like (I'm correctly mapped, as seen below):
----- s n i p -----
dn: c=SE
OpenLDAPaci: 1.2.3#entry#grant;r;[entry];r,s,c;objectClass,entry#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;c,userReference,branchReference,administrator#public#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#cn=Turbo Fredriksson,ou=People,o=Fredriksson,c=SE
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#cn=Turbo Fredriksson,ou=People,o=Fredriksson,c=SE
----- s n i p -----

The output from slapd running in debug mode 128 tell me
(at the very end):
----- s n i p -----
=> access_allowed: write access to "c=SE" "children" requested
=> dn: [1] cn=monitor
=> dn: [2]
=> acl_get: [3] check attr children
=> acl_get: [4] check attr children
<= acl_get: [4] acl c=SE attr: children
=> acl_mask: access to entry "c=SE", attr "children" requested
=> acl_mask: to all values by "cn=turbo fredriksson,ou=people,o=fredriksson,c=se", (=n)
<= acl_mask: [4] applying +wrscx (stop)
<= acl_mask: [4] mask: =wrscx
=> access_allowed: write access granted by =wrscx
=> access_allowed: write access to "o=Testing,c=SE" "entry" requested
=> dn: [1] cn=monitor
=> dn: [2]
=> acl_get: [3] check attr entry
=> acl_get: [4] check attr entry
<= acl_get: [4] acl o=Testing,c=SE attr: entry
=> acl_mask: access to entry "o=Testing,c=SE", attr "entry" requested
=> acl_mask: to all values by "cn=turbo fredriksson,ou=people,o=fredriksson,c=se", (=n)
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: write access denied by =n
----- s n i p -----

Now, the 'children' was quite obvious (and succeeds), but how
can I give access to 'entry' in a object that do not yet
exists!?

This is OpenLDAP v2.1.22...