Hi.
I have meta-backend o=vega and two databases o=vega-main and ou=devel on the same server. I'd configure meta-backend o=vega with
suffixmassage "o=vega" "o=vega-main" and suffixmassage "ou=devel,ou=sites,o=vega" "ou=devel"
I'd like to write acls per database, but provide DIT as single suffix o=vega.
Members of cn=sysadmins,ou=groups,o=vega (really cn=sysadmins,ou=groups,o=vega-main) should grant write permissions to ou=devel,ou=sites,o=vega (really ou=devel). But they grant only read to o=vega.
Where am I wrong?
My slapd.conf:
database meta suffix "o=vega" uri "ldap://ldap.irka.int.masterhost.ru/ou=devel,ou=sites,o=vega" suffixmassage "ou=devel,ou=sites,o=vega" "ou=devel" rootdn "cn=ldapadm,o=vega" rootpw X uri "ldap://ldap.irka.int.masterhost.ru/o=vega" suffixmassage "o=vega" "o=vega-main"
database hdb suffix ou=devel rootdn "cn=ldapadm,ou=devel" rootpw XX directory /var/db/openldap-data/devel checkpoint 32 8
access to dn.sub="ou=devel" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,ou=vega-main" write by * read
database hdb suffix o=vega-main rootdn "cn=ldapadm,o=vega-main" rootpw XXX directory /var/db/openldap-data/vega-main checkpoint 32 8
access to dn.sub="ou=SUDOers,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.sub="ou=mail,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.regex="ou=.*,ou=groups,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.sub="ou=groups,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.sub="ou=users,o=vega-main" attrs=userPassword by self write by anonymous auth by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
access to dn.sub="ou=users,o=vega-main" attrs=mail by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.sub="ou=users,o=vega-main" attrs=@inetOrgPerson,@inetLocalMailRecipient,@intraPerson,cn by self write by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.sub="ou=users,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read
access to dn.sub="o=vega-main" by anonymous auth by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by * read
My openldap version 2.4.11 on FreeBSD 7.0-amd64.
openldap-software@openldap.org