Re: no write access to parent

["Dieter Kluenter" <dieter@dkluenter.de>]

Irina Shetukhina <irka@masterhost.ru> writes:

> Hi.
>
> There is acl in slapd.conf:
>
> access to dn.one="ou=personal,ou=groups,o=vega"
>         by group/groupOfUniqueNames/uniqueMember="cn=users-admins,ou=groups,o=vega" write
>         by group/groupOfUniqueNames/uniqueMember="cn=tree-admins,ou=groups,o=vega" write
>         by users read
>
> And when  any  of  the  members of "cn=users-admins,ou=groups,o=vega"
> tries to add a new object, he's got an error:
>  no write access to parent
>
> But he can modify exiting object without errors.
>
> If I change dn.one to dn.sub, there is no errors at all.
>
> Could anybody explain, what modification needs to parent object?

man slapd.access(5),
one (synonym of onelevel) indicates all the entries immediately
    below the <dnpattern>, sub (synonym of subtree) indicates  all
    entries
[...]
The  add operation requires add (=a) privileges on the pseudo-attribute
   entry of the entry being added, and add (=a) privileges on the  pseudo-
   attribute children of the entry's parent.

As a add operation requires read access the pseudo-attribute children,
you have to allow read access to to ou=personal,ou=groups,o=vega,
something like 
access to dn.one="ou=personal,ou=groups,o=vega atts=children
or you allow all operations on the base ou=personal,ou=groups,o=vega
by
access to dn.subtree=ou=personal,ou=groups,o=vega

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E