Admin roles by group membership per OU

[Ervin Hegedüs <airween@gmail.com>]

Hi,

here is my scenario:

dn: dc=mycompany,dc=hu

dn: ou=ABC Customer,dc=mycompany,dc=hu
+- dn: cn=group1abc,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: cn=group2abc,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu
+- dn: uid=user2,ou=ABC Customer,dc=mycompany,dc=hu

dn: ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: cn=group1xyz,ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: cn=group2xyz,ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: uid=user1,ou=XYZ Customer,dc=mycompany,dc=hu
+- dn: uid=user2,ou=XYZ Customer,dc=mycompany,dc=hu
...


the cn=groupabcadmin,ou=ABC Customer node above looks like this:

dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu
objectClass: groupOfNames
cn: groupabcadmin
member: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu

I'ld like to set up, that the all member of cn=groupabcadmin
group, now the "uid=user1,ou=ABC Customer",... user can write
the db (add, modify, delete) under his own OU, specially the
ou=ABC Customer,dc=mycompany,dc=hu.

I've found this example:
http://www.openldap.org/faq/data/cache/52.html

Now the config looks like this:

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mycompany,dc=hu
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
olcLastMod: TRUE

The uid=user1 user password is right, I can read with it from DB.
But when I would like to add a new user, I've got:

ldap_add: Insufficient access (50)
	additional info: no write access to parent

and in log:

Oct 11 17:03:16 open-ldap slapd[25821]: mdb_dn2entry("uid=user2,ou=abc customer,dc=mycompany,dc=hu")
Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_dn2id("uid=user2,ou=abc customer,dc=mycompany,dc=hu")
Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798)
Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_entry_decode:
Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_entry_decode
Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: add access to "ou=ABC Customer,dc=mycompany,dc=hu" "children" requested
Oct 11 17:03:16 open-ldap slapd[25821]: => dn: [2]
Oct 11 17:03:16 open-ldap slapd[25821]: => acl_get: [3] attr children
Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: access to entry "ou=ABC Customer,dc=mycompany,dc=hu", attr "children" requested
Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: to all values by "uid=user1,ou=abc customer,dc=mycompany,dc=hu", (=0)
Oct 11 17:03:16 open-ldap slapd[25821]: <= check a_dn_pat: *
Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] applying read(=rscxd) (stop)
Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] mask: read(=rscxd)
Oct 11 17:03:16 open-ldap slapd[25821]: => slap_access_allowed: add access denied by read(=rscxd)
Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: no more rules
Oct 11 17:03:16 open-ldap slapd[25821]: mdb_add: no write access to parent
Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: conn=1208 op=1 p=3
Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: err=50 matched="" text="no write access to parent"
Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_response: msgid=2 tag=105 err=50
Oct 11 17:03:16 open-ldap slapd[25821]: conn=1208 op=1 RESULT tag=105 err=50 text=no write access to parent


What do I miss?


Thanks,


a.