Irina Shetukhina irka@masterhost.ru writes:
Hi.
There is acl in slapd.conf:
access to dn.one="ou=personal,ou=groups,o=vega" by group/groupOfUniqueNames/uniqueMember="cn=users-admins,ou=groups,o=vega" write by group/groupOfUniqueNames/uniqueMember="cn=tree-admins,ou=groups,o=vega" write by users read
And when any of the members of "cn=users-admins,ou=groups,o=vega" tries to add a new object, he's got an error: no write access to parent
But he can modify exiting object without errors.
If I change dn.one to dn.sub, there is no errors at all.
Could anybody explain, what modification needs to parent object?
man slapd.access(5), one (synonym of onelevel) indicates all the entries immediately below the <dnpattern>, sub (synonym of subtree) indicates all entries [...] The add operation requires add (=a) privileges on the pseudo-attribute entry of the entry being added, and add (=a) privileges on the pseudo- attribute children of the entry's parent.
As a add operation requires read access the pseudo-attribute children, you have to allow read access to to ou=personal,ou=groups,o=vega, something like access to dn.one="ou=personal,ou=groups,o=vega atts=children or you allow all operations on the base ou=personal,ou=groups,o=vega by access to dn.subtree=ou=personal,ou=groups,o=vega
-Dieter