Hi.
I have meta-backend o=vega and two databases o=vega-main and ou=devel on the same server.
I'd configure meta-backend o=vega with
suffixmassage "o=vega" "o=vega-main"
and
suffixmassage "ou=devel,ou=sites,o=vega" "ou=devel"
I'd like to write acls per database, but provide DIT as single suffix
o=vega.
Members of cn=sysadmins,ou=groups,o=vega (really
cn=sysadmins,ou=groups,o=vega-main) should grant write permissions
to ou=devel,ou=sites,o=vega (really ou=devel). But
they grant only read to o=vega.
Where am I wrong?
My slapd.conf:
database meta
suffix "o=vega"
uri "ldap://ldap.irka.int.masterhost.ru/ou=devel,ou=sites,o=vega"
suffixmassage "ou=devel,ou=sites,o=vega" "ou=devel"
rootdn "cn=ldapadm,o=vega"
rootpw X
uri "ldap://ldap.irka.int.masterhost.ru/o=vega"
suffixmassage "o=vega" "o=vega-main"
database hdb
suffix ou=devel
rootdn "cn=ldapadm,ou=devel"
rootpw XX
directory /var/db/openldap-data/devel
checkpoint 32 8
access to dn.sub="ou=devel"
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,ou=vega-main" write
by * read
database hdb
suffix o=vega-main
rootdn "cn=ldapadm,o=vega-main"
rootpw XXX
directory /var/db/openldap-data/vega-main
checkpoint 32 8
access to
dn.sub="ou=SUDOers,o=vega-main"
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.sub="ou=mail,o=vega-main"
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.regex="ou=.*,ou=groups,o=vega-main"
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.sub="ou=groups,o=vega-main"
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.sub="ou=users,o=vega-main" attrs=userPassword
by self write
by anonymous auth
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
access to
dn.sub="ou=users,o=vega-main" attrs=mail
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.sub="ou=users,o=vega-main" attrs=@inetOrgPerson,@inetLocalMailRecipient,@intraPerson,cn
by self write
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.sub="ou=users,o=vega-main"
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by users read
access to
dn.sub="o=vega-main"
by anonymous auth
by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
by * read
My openldap version 2.4.11 on FreeBSD 7.0-amd64.
--
Irina Shetukhina