[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to give create/modify/delete permissions over a subtree to a GroupOfNames?

  Hello, list.

  I'm facing a problem here: need to offer create/delete/modify
permissions to a groupOfNames so they can handle users, without allowing
them to handle other things (like groups, for example).

  This is the organization of my ldap now:

  + dc=company, dc=net
    + ou=people, dc=company, dc=net
      + uid=champs, ou=people, dc=company, dc=net
        - objectClass: inetOrgPerson
    + ou=groups, dc=company, dc=net
      + cn=admin, ou=groups, dc=company, dc=net
        - objectClass: groupOfNames
        - member: uid=champs, ou=people, dc=company, dc=net

  And this is the permissions configuration from the slapd.conf:

access to dn.children="dc=company,dc=net"
        by group.exact="cn=admin,ou=Groups,dc=company,dc=net" write
        by self write
        by * none

  This is my .ldaprc:
URI ldap://ldap.company.net/
BASE dc=company, dc=net
BINDDN uid=lcampos, ou=people, dc=company, dc=net

  I'm sure that I'm using the right user and should have access to the
permissions I've setted up:
champs:~/ldiff$ ldapwhoami -xW
Enter LDAP Password:

  But when I try to use my newly-granted permissions to add an user, get
champs:~/ldiff$ ldapadd -xWf apalinkas.ldiff
Enter LDAP Password:
adding new entry "uid=palinkas, ou=People, dc=company, dc=net"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

  Maybe someone here could help me figure out what I'm doing wrong? I'm
pretty sure that all this is because I'm doing something stupid somewhere.

  Thanks very much for your help.
Luis Motta Campos
Segula Technologies Portugal