[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem

On 12/04/09 18:42, Guillaume CHARDIN wrote:
Hi, i'm a begginer with openldap and I would like some help about
configuring a test directory (for now).
I tought I set up correctly the base of the directory, but I encounter
some issues with ACL to delegate rw access to some users/OU/groups.
While I can do anything on the directory with the 'rootdn', I wasnt
able to give rw access to another user (admintest) on the directory.
To achieve this tasks I use several tools : phpldapadmin, ldapadd,
ldapdelete. And everytime these tools return error about the rights of
the user I bind to de Directory.

here is an example :
]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W
Enter LDAP Password:
ldap_delete: Insufficient access (50)
             additional info: no write access to parent

If i do the same with the rootdn user everything goes fine.

I use a static configuration on the server side so i have to
start/restart ldap to have new acl applied.
Below are my access rules written in my sldap.conf file
#in the global config :
access to * by * read
#in the "database" config :
access to dn.subtree="dc=brcorp,dc=local"
         by dn.one="uid=admintest,dc=brcorp,dc=local" write
         by self write
access to *
         by dn.exact="cn=Manager,dc=brcorp,dc=local" read
         by * none

When you write "by dn.one", this effectively applies to any user accounts that are one level *below* the account "uid=admintest" in your tree. You should replace that with "dn.base".

See this section of the admin guide for more details: