[Date Prev][Date Next]
Re: ACL problem in slapd.conf
On 04/09/2009 12:02, Tomasz Chmielewski wrote:
I would like to allow a user to edit everything in a given subtree.
For example, I would like to allow
uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in
I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up
access for that user, but I keep getting "insufficient access".
onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389)
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com"
conn=5 op=0 RESULT tag=97 err=0 text=
conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com"
conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com"
by dn="uid=Operator,ou=Users,dc=example,dc=com" write
by dn="uid=Operator,ou=Users,dc=example,dc=com" read
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com"
But then I'm not even able to connect.
I recommend that you read the chapter on access control from the
*OpenLDAP* admin guide:
In this particular case, I expect that you have other access rules that
may be blocking this one - remember that order is important, and the
first rule matching on the <what> part will define the access level.
Help in setting up ACLs is available through two other means:
1) If you use the command line ldap* tools, they often output some
additional info along with the error 50, like this:
ldap_delete: Insufficient access (50)
additional info: no write access to parent
2) You can enable loglevel acl in your configuration file and check the
logs to see which rules are being used.
I hope this helps. If you have further questions, don't hesitate to post
back here with your full set of ACLs, and information on the version of
slapd you're using.