On Mon, Apr 12, 2010 at 01:14:40PM -0400, Matt Ingram wrote:
We're trying to implement acls that will allow our Admins to modify the LDAP directory without using a generic admin account, and using their own credentials within LDAP. Our requirement is that the Admins can modify the mail, uid and userPassword attributes. Which I have working. Part of this also requires that the Admin has the ability to add those attributes. That does not work.
From an ACL perspective there is really no difference between adding
an attribute and modifying its value.
One comment I would make about your ACLs is that in several places you are granting read access to userPassword. This is not usually necessary nor is it a good idea. You need 'by * auth' access to permit authentication, but only need to give '=w' access to those who need to change passwords. Remember that the 'write' keyword includes read access.
If your ACLs are not doing what you expect, you may need to turn on 'loglevel ACL' (see slapd.conf(5)). The output is voluminous, but it can help you to understand what is going on.
Andrew