----- Wolf-Agathon Schaly w-a.schaly@arcor.de ha scritto:

Fellows

I'm trying to grant write access to the subtree using the following access directive

access to dn.subtree="cn=OracleContext,ou=services,o=privat,c=de" by dn="cn=myusername,ou=users,o=privat,c=de" write by anonymous read by * auth

(1)

this rule is working fine but for just one user. If I add another 'by dn' like

    by dn="cn=yourusername,ou=users,o=privat,c=de" write

It is working as well. WhoHoo ! That would be fine if I wouldn't expect a huge number of users. Another unaccepable issue would be that the ldap instance would need a restart. That's why I decided to grant access to the dn.subtree to a group (i.e. dba) and have tried the following directive

access to dn.regex="(.*,)cn=OracleContext,ou=services,o=privat,c=de" by group="cn=dba,ou=groups,o=privat,c=de" write by anonymous read

(2)

But whenever I try as a member of the dba group to write an entry underneath the cn=OracleContext,.... I'm getting the error message

Enter LDAP Password: adding new entry "cn=dgdb,cn=OracleContext,ou=services,o=privat,c=de" ldap_add: Insufficient access (50) additional info: no write access to parent

When changing from (1) to (2) you changed two portions of your ACL: the <what> and the <who>. According to your description of the problem, your intention was to change only the <who>. Wy did you change the <what>, then (going from correct to incorrect)? Use the (right) <what> from (1) and the new <who> from (2). This will solve your problem. In general, apply changes one at a time, especially when you're at a loss.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------