[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Stuck in ACL

----- Wolf-Agathon Schaly <w-a.schaly@arcor.de> ha scritto:
> Fellows 
> I'm trying to grant write access to the subtree using the following access directive
> access to dn.subtree="cn=OracleContext,ou=services,o=privat,c=de"
>         by dn="cn=myusername,ou=users,o=privat,c=de" write
>         by anonymous read
>         by * auth


> this rule is working fine but for just one user. If I add another 'by dn' like 
>         by dn="cn=yourusername,ou=users,o=privat,c=de" write
> It is working as well. WhoHoo !
> That would be fine if I wouldn't expect a huge number of users. Another unaccepable issue would be that the ldap instance would need a restart. That's why I decided to grant access to the dn.subtree to a group (i.e. dba) and have tried the following directive
> access to dn.regex="(.*,)cn=OracleContext,ou=services,o=privat,c=de"
>         by group="cn=dba,ou=groups,o=privat,c=de" write
>         by anonymous read


> But whenever I try as a member of the dba group to write an entry underneath the cn=OracleContext,.... I'm getting the error message 
> Enter LDAP Password:
> adding new entry "cn=dgdb,cn=OracleContext,ou=services,o=privat,c=de"
> ldap_add: Insufficient access (50)
>         additional info: no write access to parent

When changing from (1) to (2) you changed two portions of your ACL: the <what> and the <who>.  According to your description of the problem, your intention was to change only the <who>.  Wy did you change the <what>, then (going from correct to incorrect)?  Use the (right) <what> from (1) and the new <who> from (2).  This will solve your problem.  In general, apply changes one at a time, especially when you're at a loss.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it