[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: no write access to parent

Irina Shetukhina <irka@masterhost.ru> writes:

> Hi.
> There is acl in slapd.conf:
> access to dn.one="ou=personal,ou=groups,o=vega"
>         by group/groupOfUniqueNames/uniqueMember="cn=users-admins,ou=groups,o=vega" write
>         by group/groupOfUniqueNames/uniqueMember="cn=tree-admins,ou=groups,o=vega" write
>         by users read
> And when  any  of  the  members of "cn=users-admins,ou=groups,o=vega"
> tries to add a new object, he's got an error:
>  no write access to parent
> But he can modify exiting object without errors.
> If I change dn.one to dn.sub, there is no errors at all.
> Could anybody explain, what modification needs to parent object?

man slapd.access(5),
one (synonym of onelevel) indicates all the entries immediately
    below the <dnpattern>, sub (synonym of subtree) indicates  all
The  add operation requires add (=a) privileges on the pseudo-attribute
   entry of the entry being added, and add (=a) privileges on the  pseudo-
   attribute children of the entry's parent.

As a add operation requires read access the pseudo-attribute children,
you have to allow read access to to ou=personal,ou=groups,o=vega,
something like 
access to dn.one="ou=personal,ou=groups,o=vega atts=children
or you allow all operations on the base ou=personal,ou=groups,o=vega
access to dn.subtree=ou=personal,ou=groups,o=vega


Dieter KlÃnter | Systemberatung
sip: +49.180.1555.7770535