Re: ACL Help Please

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Tue, Jul 01, 2008 at 02:05:00PM -0700, david stackis wrote:

> I added the ACL's you suggested. First I tried...
>  access to "ou=addressbook,dc=Company,dc=com"
>         by users write
>         by * read
> 
>  access to *
>         by * read

Sorry - that first line should have specified dn.subtree:

access to dn.subtree="ou=addressbook,dc=Company,dc=com"
	by users write
	by * read

access to *
	by * read

You should keep the 'access' keyword hard against the left margin:
leading white space indicates continuation lines.

> When I used ldapadd I received this error...
> 
> ldapadd -D "cn=Elliott Smith,ou=addressbook,dc=Company,dc=com" -f
> contact.ldif2
> Enter bind password: 
> adding new entry cn=Nick Drake,ou=addressbook,dc=Company,dc=com
> Enter bind password: 
> ldap_simple_bind: Invalid credentials

No surprise there - you did not load anything called "cn=Elliott
Smith,ou=addressbook,dc=Company,dc=com" so you cannot authenticate as
it.

> I then tried is using "ou=users" like this...
> 
> ldapadd -D "cn=Elliott Smith,ou=users,dc=Company,dc=com" -f contact.ldif2
> Enter bind password: 
> adding new entry cn=Nick Drake,ou=addressbook,dc=Company,dc=com
> ldap_add: Insufficient access
> ldap_add: additional info: no write access to parent

Fixed by new version above.

> #
> # Define individual users
> #
> dn: cn=Elliott Smith,ou=users,dc=company,dc=com
> objectclass: top
> objectclass: person
> cn: Elliott Smith
> sn: Smith
> userPassword: mysecret
> uid: esmith

That won't load, as uid is not in the person object class: you need
inetOrgPerson for that.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------