On 12/04/09 18:42, Guillaume CHARDIN wrote:
Hi, i'm a begginer with openldap and I would like some help about configuring a test directory (for now). I tought I set up correctly the base of the directory, but I encounter some issues with ACL to delegate rw access to some users/OU/groups. While I can do anything on the directory with the 'rootdn', I wasnt able to give rw access to another user (admintest) on the directory. To achieve this tasks I use several tools : phpldapadmin, ldapadd, ldapdelete. And everytime these tools return error about the rights of the user I bind to de Directory.
here is an example : ]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W ou=test,dc=brcorp,dc=local Enter LDAP Password: ldap_delete: Insufficient access (50) additional info: no write access to parent
If i do the same with the rootdn user everything goes fine.
I use a static configuration on the server side so i have to start/restart ldap to have new acl applied. Below are my access rules written in my sldap.conf file #in the global config : access to * by * read #in the "database" config : access to dn.subtree="dc=brcorp,dc=local" by dn.one="uid=admintest,dc=brcorp,dc=local" write by self write access to * by dn.exact="cn=Manager,dc=brcorp,dc=local" read by * none
Hi,
When you write "by dn.one", this effectively applies to any user accounts that are one level *below* the account "uid=admintest" in your tree. You should replace that with "dn.base".
See this section of the admin guide for more details: http://www.openldap.org/doc/admin24/access-control.html#What%20to%20control%...
Regards, Jonathan