[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL questions



At 04:59 PM 7/10/2006, MT wrote:
>I know this has a very simple solution, unfortunately ACL's are  
>kicking my rear.
>I have what is turning out to be a company roster with names, email,  
>telephone, address, and userpassword.  What I'm trying to allow is  
>just three users to authenticate and view "sensitive" info (i.e.  
>telephone number, home address, password).  Here's what I have so far  
>for the ACLS:
>
>access to dn="ou=cmc,dc=cmcflex,dc=com"  
>attrs="telephoneNumber","homePhone","userPassword"
>        by users write
>        by * auth
>
>access to *
>        by * read
>
>Okay, so far anonymous just see the "basic" (non-sensitive) fields.   
>If I:
>
>ldapsearch -x -D "cn=mtice[at]cmcflex.com,ou=cmc,dc=cmcflex,dc=com" - w secret
>
>I can view ALL info - which is what I want.  So ultimately it now  
>comes down to adding/deleting/modifying entries.  I'm trying to add a  
>test user using the command:
>
>ldapadd -x -w secret -D "cn=mtice[at] cmcflex.com,ou=cmc,dc=cmcflex.dc=com" -f test.ldif
>
>I get the error:
>
>ldap_add: Insufficient access (50)
>        additional info: no write access to parent
>
>I suppose it means that just because I can write to  
>ou=cmc,dc=cmcflex,dc=com - but not dc=cmcflex,dc=com. 

More specifically, it means that the subject doesn't have write
access to the "children" pseudo-attribute of the target's parent.

>Is that  
>correct or am I way off?  I tried messing with the ACL's a bit but  
>just completely screwed it up.
>
>I'm using open-ldap v. 2.2.27 on a Suse 10 box.

Historic stuff...

> If I need to post  
>any additional info please let me know.  Any help would be greatly  
>appreciated.
>
>Thanks,
>Matt