----- Wolf-Agathon Schaly w-a.schaly@arcor.de ha scritto:
Fellows
I'm trying to grant write access to the subtree using the following access directive
access to dn.subtree="cn=OracleContext,ou=services,o=privat,c=de" by dn="cn=myusername,ou=users,o=privat,c=de" write by anonymous read by * auth
(1)
this rule is working fine but for just one user. If I add another 'by dn' like
by dn="cn=yourusername,ou=users,o=privat,c=de" writeIt is working as well. WhoHoo ! That would be fine if I wouldn't expect a huge number of users. Another unaccepable issue would be that the ldap instance would need a restart. That's why I decided to grant access to the dn.subtree to a group (i.e. dba) and have tried the following directive
access to dn.regex="(.*,)cn=OracleContext,ou=services,o=privat,c=de" by group="cn=dba,ou=groups,o=privat,c=de" write by anonymous read
(2)
But whenever I try as a member of the dba group to write an entry underneath the cn=OracleContext,.... I'm getting the error message
Enter LDAP Password: adding new entry "cn=dgdb,cn=OracleContext,ou=services,o=privat,c=de" ldap_add: Insufficient access (50) additional info: no write access to parent
When changing from (1) to (2) you changed two portions of your ACL: the <what> and the <who>. According to your description of the problem, your intention was to change only the <who>. Wy did you change the <what>, then (going from correct to incorrect)? Use the (right) <what> from (1) and the new <who> from (2). This will solve your problem. In general, apply changes one at a time, especially when you're at a loss.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------