[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem in slapd.conf

Tomasz Chmielewski <mangoo@wpkg.org> writes:

> I would like to allow a user to edit everything in a given subtree.
> For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
> I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
> onn=5 fd=15 ACCEPT from IP= (IP=
> conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128
> conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0
> conn=5 op=0 RESULT tag=97 err=0 text=
> conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com"
> conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
> My rule in slapd.conf is:
> access to dn="ou=Users,dc=example,dc=com"
>    by dn="uid=Operator,ou=Users,dc=example,dc=com" write
>    by dn="uid=Operator,ou=Users,dc=example,dc=com" read

This access to rule only allows access to dn.base=ou=Users..
the write privilege includes read, compare and auth privileges so the second
by clause is never checked and can be omited.
You should follow 
in order to have valid and authoritative documentation.

> I also tried to use:
> access to dn.subtree="ou=Users,dc=example,dc=com"
>   ...

read  man slapd.access(5)


Dieter Klünter | Systemberatung