Re: ACL Help Please

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Jun 30, 2008 at 04:09:07PM -0700, david stackis wrote:

> My goal is to have each one of my user able to read/write to their own
> personal address book.

> ldapadd -D "cn=Elliott Smith,ou=users,dc=Company,dc=com" -f contact.ldif
> Enter bind password: 
> adding new entry cn=Nick Drake,ou=addressbook,dc=Company,dc=com
> ldap_add: Insufficient access
> ldap_add: additional info: no write access to parent

>  access to dn.regex="(.+,)?(uid=[^,]+,o=isc)$"
>         by dn.exact,expand="$2" write
>         by anonymous auth

It looks as if you have part of an ACL taken from some other system.
It will not help you here, I suggest you remove it.

You need to provide 'write' access to the whole subtree under
ou=addressbook,dc=Company,dc=com
so I suggest starting with this:

access to ou=addressbook,dc=Company,dc=com
	by users write
	by * read

access to *
	by * read

That will allow *any* authenticated user to do *anything* in your
addressbooks tree. You can then refine it, perhaps by limiting
which users can write:

access to ou=addressbook,dc=Company,dc=com
	by dn.subtree=ou=users,dc=Company,dc=com write
	by * read

access to *
	by * read


Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------