[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL questions

I know this has a very simple solution, unfortunately ACL's are kicking my rear.
I have what is turning out to be a company roster with names, email, telephone, address, and userpassword. What I'm trying to allow is just three users to authenticate and view "sensitive" info (i.e. telephone number, home address, password). Here's what I have so far for the ACLS:

access to dn="ou=cmc,dc=cmcflex,dc=com" attrs="telephoneNumber","homePhone","userPassword"
by users write
by * auth

access to *
	by * read

Okay, so far anonymous just see the "basic" (non-sensitive) fields. If I:

ldapsearch -x -D "cn=mtice[at]cmcflex.com,ou=cmc,dc=cmcflex,dc=com" - w secret

I can view ALL info - which is what I want. So ultimately it now comes down to adding/deleting/modifying entries. I'm trying to add a test user using the command:

ldapadd -x -w secret -D "cn=mtice[at] cmcflex.com,ou=cmc,dc=cmcflex.dc=com" -f test.ldif

I get the error:

ldap_add: Insufficient access (50)
	additional info: no write access to parent

I suppose it means that just because I can write to ou=cmc,dc=cmcflex,dc=com - but not dc=cmcflex,dc=com. Is that correct or am I way off? I tried messing with the ACL's a bit but just completely screwed it up.

I'm using open-ldap v. 2.2.27 on a Suse 10 box. If I need to post any additional info please let me know. Any help would be greatly appreciated.