[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question



Hello there,

I had the same type of problem and the only way I went around it was to 
give the Replicator full access to the tree. 

I think I likened it to something like a file system:

permission  user   group branch
rwxrwxr-x   root   admin org
rwxrwxr-x   root   admin org/myor
rwxrwxr-x   root   admin org/myorg/origin

So for me to write to any "subdirectories", I had to at least either 
(a) make the Replicator account part of the group that has write 
privilege (i.e. made it an admin for example) or (b) explicitly specify 
the Replicator write access to the parent node.

This might not be what you're looking for but this should at least get 
you started. (now that I think about it, the last two lines simply acts 
as a catch-all and the first ACL is never really matched (?))

If you find a more elegant solution, I'd be interested in hearing it.

Regards,

Jan-Michael

----- Original Message -----
From: James Shvarts <ys2046@columbia.edu>
Date: Tuesday, October 1, 2002 7:21 am
Subject: ACL question

> Hello all,
> 
> i have a the following context: ou=origin,dc=myorg,dc=org which 
> contains 
> users whose dn's are expressed in this form: 
> uid=user1,ou=origin,dc=myorg,dc=org;
> uid=user2,ou=origin,dc=myorg,dc=org etc.
> 
> i also have a "replicator" account with the following dn: 
> cn=replicator,dc=myorg,dc=org (while my rootdn is: 
> cn=admin,dc=myorg,dc=org). the replicator account should be able 
> to 
> manipulate users within ou=origin,dc=myorg,dc=org in any possible 
> way 
> (insert,update,delete,search,etc).
> 
> i have a hard time coming up with a proper acl to allow relicator 
> account to manipulate user entries. i tried adding the statement 
> below 
> to slapd.conf without any other acl rules. but if i try to 
> retrieve all 
> users with ldapsearch (binding as cn=replicator,dc=myorg,dc=org) i 
> get: 
> ldap_bind: Insufficient access (50).
> 
> access to dn=".*,ou=origin,dc=myorg,dc=org"
>        by dn="cn=replicator,dc=nsdl,dc=org" write
> 
> i would appreciate any help
> -- James
> 
>