[LUNI] LDAP write access
Keith T. Garner
kgarner at kgarner.com
Thu Aug 31 09:20:40 CDT 2006
I had to go back and look at the auth stuff I've done in openldap. (I'm
really starting to loath openldap. I really need to clear up some time to
play with RedHat's ldap server.)
The only thing I can think of is you gave yourself access to one, and only
one, dn. You probably want anything that is a child of that as well. So
you might want, in addition to what you've already got, something like:
access to dn=".*,ou=sten,ou=contacts,dc=redboy,dc=cx"
by dn="uid=sten,ou=users,dc=redboy,dc=cx" write
by * none
Keith
sten wrote:
> sort of tangentially related to my earlier mailserver questions, I'm
> trying to set up personal addressbooks in an LDAP database, and I'm running
> into permissions issues. Eventually, I want to use regexes to match users to
> their own ou, but for now I have:
>
> access to dn="ou=sten,ou=contacts,dc=redboy,dc=cx"
> by dn="uid=sten,ou=users,dc=redboy,dc=cx" write
> by * none
>
> in my slapd.conf, but when I try adding an entry, I get an error saying
> "Insufficient access:"
>
> sten at fenris2:~$ ldapadd -D uid=sten,ou=users,dc=redboy,dc=cx -W -x -v -f test
> ldap_initialize( <DEFAULT> )
> Enter LDAP Password:
> add cn:
> Barbara Jensen
> Babs Jensen
> add sn:
> Jensen
> add title:
> the world's most famous mythical manager
> add mail:
> bjensen at example.com
> add givenName:
> Barbara Jensen
> add objectClass:
> inetOrgPerson
> adding new entry "cn=Barbara Jensen,ou=sten,ou=contacts,dc=redboy,dc=cx"
> modify complete
> ldap_add: Insufficient access (50)
> additional info: no write access to parent
>
> I've tried "access to dn.subtree" and a bunch of other permutations
inspired by the manpage for slapd.access, all with the same error; can
anyone tell me what I'm missing?
--
Keith T. Garner kgarner at kgarner.com
"Make no little plans; they have no magic to
stir men's blood." - Daniel H. Burnham
More information about the luni
mailing list