[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access controls


On 07/07/2009 17:13, Darryl Moore wrote:
Hi all,

I've installed a LDAP server on my network against which all my users
can authenticate. They can even change their passwords via GUI or CLI
without any issue.

What I am trying to do now is allow each one of them to have an
address book in their subtree.

I created a subtree in each authentication relm that looks like this


Their is no problem with the rootdn adding entries below this, but I
am unable to get the user to be able to. In fact I can't seem to
allow the user to write anywhere. Even with the lone access rule:

access to * by * write

in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I
 change this file)

I presume you mean slapd.conf file, not ldap.conf.

When testing this, make sure to put this rule as the *first* access rule
in the slapd.conf file.

Order is important in ACLs, since the first matching rule will apply. So
if your "access to * by * write" is not the first, it probably is never reached.

I beleive the correct access rule for what I want is: access to
dn.children="ou=People,dc=domain,dc=ca" by self write

A quick excerpt from the admin guide:
To add or delete an entry, the subject must have write access to the
entry's entry attribute AND must have write access to the entry's
parent's children attribute.

Be careful of "self" as well, it only represents the current user's
entry, not it's children/etc.

Hope this helps,
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org