[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error modifying uid or dn with ldapmodify (Naming violation (64) value of naming attribute 'uid' is not present in entry)

darkxer0x writes:
> Thank you very much.
> But, I have another problem, what is the ACL to permit "seff" to
> change dn?

"man slapd.access" says:

    The modrdn operation requires write (=w) privileges on the
    pseudo-attribute entry of the entry whose relative DN is being
    modified, write (=w) privileges on the pseudo-attribute children of
    the old and new entry's parents, and write (=w) privileges on the
    attributes that are present in the new relative DN.  Write (=w)
    privileges are also required on the attributes that are present in
    the old relative DN if deleteoldrdn is set to 1.

Thus you'll need something like

    # hide passwords, but allow users to update their own
    access to attrs=userPassword by self =wx by * auth
    # allow users to add/delete/move entries directly below dc=dominio
    access to dn="dc=dominio" attrs=children
           by dn.onelevel="dc=dominio" write
    # allow users to write their own entries and everyone to read
    # everything else
    access to *  by self write   by * read

> I''ve tried in slapd.conf:
> access to dn.base="" by self write

This tries to grant access to the single entry with DN "", which is not
a user entry but a special entry that describes the LDAP server.
Also it doesn't grant any access to anyone but 'self'.

Maybe you meant
      access to *   by self write   by * read
or something like
	access to dn.subtree=<some DN>   by self write   by * read

> This doesn't work

It would help if you said which error message you receive (where slapd
tries to _tell_ you why it failed), but here is a guess:

> I've read some howto about ldapmodrdn and all of them say: -D
> "Directory Manager",

Hopefully they don't, since that's not a valid DN.  It would
be something like
   -D "cn=Directory Manager,dc=dominio"

assuming your slapd.conf includes something like

database bdb
suffix "dc=dominio"
rootdn "cn=Directory Manager,dc=dominio"
rootpw <some password, possibly encrypted with sbin/slappasswd>

A database's rootdn is a special DN you can bind as which
has full access to the database regardless of access control,
and which does not need to exist in the database - which is
why you can specify its password in slapd.conf instead.