Hi, i'm a begginer with openldap and I would like some help about configuring a test directory (for now). I tought I set up correctly the base of the directory, but I encounter some issues with ACL to delegate rw access to some users/OU/groups. While I can do anything on the directory with the 'rootdn', I wasnt able to give rw access to another user (admintest) on the directory. To achieve this tasks I use several tools : phpldapadmin, ldapadd, ldapdelete. And everytime these tools return error about the rights of the user I bind to de Directory.
here is an example : ]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W ou=test,dc=brcorp,dc=local Enter LDAP Password: ldap_delete: Insufficient access (50) additional info: no write access to parent
If i do the same with the rootdn user everything goes fine.
I use a static configuration on the server side so i have to start/restart ldap to have new acl applied. Below are my access rules written in my sldap.conf file #in the global config : access to * by * read #in the "database" config : access to dn.subtree="dc=brcorp,dc=local" by dn.one="uid=admintest,dc=brcorp,dc=local" write by self write access to * by dn.exact="cn=Manager,dc=brcorp,dc=local" read by * none
I read on the admin documentation the global directive are applied after the "database" access directives were read. So the 'access to * by * read' is applied after 'access to dn.subtree="dc=brcorp,dc=local" by dn.one="uid=admintest,dc=brcorp,dc=local" write' wich is the important line for my user. whats wrong with my configuration ?
Someone can tell me ? Thanks for your help. -- Guillaume
On 12/04/09 18:42, Guillaume CHARDIN wrote:
Hi, i'm a begginer with openldap and I would like some help about configuring a test directory (for now). I tought I set up correctly the base of the directory, but I encounter some issues with ACL to delegate rw access to some users/OU/groups. While I can do anything on the directory with the 'rootdn', I wasnt able to give rw access to another user (admintest) on the directory. To achieve this tasks I use several tools : phpldapadmin, ldapadd, ldapdelete. And everytime these tools return error about the rights of the user I bind to de Directory.
here is an example : ]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W ou=test,dc=brcorp,dc=local Enter LDAP Password: ldap_delete: Insufficient access (50) additional info: no write access to parent
If i do the same with the rootdn user everything goes fine.
I use a static configuration on the server side so i have to start/restart ldap to have new acl applied. Below are my access rules written in my sldap.conf file #in the global config : access to * by * read #in the "database" config : access to dn.subtree="dc=brcorp,dc=local" by dn.one="uid=admintest,dc=brcorp,dc=local" write by self write access to * by dn.exact="cn=Manager,dc=brcorp,dc=local" read by * none
Hi,
When you write "by dn.one", this effectively applies to any user accounts that are one level *below* the account "uid=admintest" in your tree. You should replace that with "dn.base".
See this section of the admin guide for more details: http://www.openldap.org/doc/admin24/access-control.html#What%20to%20control%...
Regards, Jonathan
----- "Guillaume CHARDIN" guillaume.chardin@gmail.com wrote:
Hi, i'm a begginer with openldap and I would like some help about configuring a test directory (for now). I tought I set up correctly the base of the directory, but I encounter some issues with ACL to delegate rw access to some users/OU/groups. While I can do anything on the directory with the 'rootdn', I wasnt able to give rw access to another user (admintest) on the directory. To achieve this tasks I use several tools : phpldapadmin, ldapadd, ldapdelete. And everytime these tools return error about the rights of the user I bind to de Directory.
here is an example : ]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W ou=test,dc=brcorp,dc=local Enter LDAP Password: ldap_delete: Insufficient access (50) additional info: no write access to parent
If i do the same with the rootdn user everything goes fine.
Remember, the rootdn user has full access and bypasses any ACLs, time or search limits you have configured. That's why it's called root ;-)
Gavin.
hi everyone. I which to thank you before for your help.
I now realyze my (many) mistakes. :) 1st of all i misunderstood the use of the "database monitor" directive. I did not read correctly the manual, and I tought this directive was applyed to the previous database and i I apply my ACL below this line. So my security was not applyed on the right db/directory
2nd I misunderstand too the use of the dn.<scope> operand. As Gavin point it out.
Now everything works fine. Thanks to all. of you.
Guillaume
openldap-software@openldap.org
-
Gavin Henry -
Guillaume CHARDIN -
Jonathan Clarke