[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Assistance Requested

Joshua M. Miller writes:
> $ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D 
> "uid=cupsd,ou=people,dc=example,dc=org" -W
> Enter LDAP Password:
> adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org"
> ldap_add: Insufficient access (50)
>          additional info: no write access to entry

See man slapd.access:
  The add operation requires write (=w) privileges on the pseudo-
  attribute entry of the entry being added, and write (=w) privileges
  on the pseudo-attribute children of the entry's parent.  When adding
  the suffix entry of a database, write access to children of the
  empty DN ("") is required.

Your statement
  access to dn="ou=printers,dc=example,dc=org"
     by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write

grants write access to the "children" pseudo-attribute of the parent (as
well as to the rest of the parent).  To to grant access to the actual
entries you add, use dn.subtree= instead of dn=.  Or maybe another
access statement with something more restrictive, i.e. with dn.children.