[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap - ldap user can't add entry: Insufficient access (no write access to parent)

To: openldap-technical@openldap.org
Subject: Openldap - ldap user can't add entry: Insufficient access (no write access to parent)
From: Ervin Hegedüs <airween@gmail.com>
Date: Sun, 18 Oct 2015 10:40:48 +0200
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:content-transfer-encoding:user-agent; bh=LJkX9xd1x2nTxjEW3HXFp0TQlv4sr1TiPU7N1U/XQRU=; b=OrrH1xw6UAG+tPBoraN3FbJHEUv9+ZUWbz0PI9JKliAN3NiUo5kjmo2o/EtteB9utm i8O1k1uJ44qgE6K3hplfuveMeP/lG1zMwJ4l2ouz8NffB8LY2gC5EynFUfkdBacODlVE mBM21GPv30WboFtxQ+xdZZ5dWKJbltj1YFmani/AcxrGgIvDoYo64HL2zX8AmEUpayEv AZTDjRNjct5zvbNbn44hePoJyhCkSi3nIurq2jZbx9mpujTz9IiQGO72hpdaZEWNKsj8 yeyK7TD9wnp/1ElnkF/H1VR2Gb9Vgf9tIdxToJ1E7BKl1LQLvpYHsbgKGE/A4WaoJY8s OXxQ==
User-agent: Mutt/1.5.21 (2010-09-15)

Hello,

(I'm not an LDAP guru - sorry for lame question(s))

I'ld like to make an addressbook in LDAP (for mailing clients, in
first step for my RoundCube). Server is Debian 7.9, slapd 2.4.31
(OpenLDAP). After the successfully installation, I've created a
subtree for the addressbook:

dn: ou=rcabook,dc=mydomain,dc=com
ou: rcabook
objectClass: top
objectClass: organizationalUnit

dn: ou=public,ou=rcabook,dc=mydomain,dc=com
ou: public
objectClass: top
objectClass: organizationalUnit

dn: ou=private,ou=rcabook,dc=mydomain,dc=com
ou: private
objectClass: top
objectClass: organizationalUnit

and a regular user for RoundCube:

dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com
cn: rcuser
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1f2g3....x3y2z1

But when I want to make a new entry as rcuser, I've got this
error:

ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W
Enter LDAP Password: 
adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com"
ldap_add: Insufficient access (50)
    additional info: no write access to parent

The ou=public,ou=rcabook subtree has a special access in config:

# slapcat -n0
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
 e
olcLastMod: TRUE
...

Which privileges do I need to add, for all user would add the
entries to subtree?

Thanks,

a.


-- 
I � UTF-8

Follow-Ups:
- Re: Openldap - ldap user can't add entry: Insufficient access (no write access to parent)
  - From: Abdelhamid Meddeb <abdelhamid@meddeb.net>

Prev by Date: Re: slapd: No database support for /var/heimdal/heimdal
Next by Date: configuring ldap-client to use TLS (Certificate not found in database)
Index(es):
- Chronological
- Thread