Hi everyone,

I'm facing an ACL problem for a long time, and I got to the point that I'm out of ideas. The problem is related to write in a specific branch of DIT. My DIT has the following hierachy

dc=spi,dc=net
-> c=cl
-->ou=users
--->ou=regular
--->ou=admin

The ACL should allow the users under the admin subtree to write in the regular subtree (admin and regular users model).

SO, I have the following ACL includes in slapd.conf:

include         /etc/ldap/acls/acl.conf.default
include         /etc/ldap/acls/acl.conf


The ACL files have the following lines:

#  /etc/ldap/acls/acl.conf.default

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=spi,dc=net" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=spi,dc=net" write
        by * read

#  /etc/ldap/acls/acl.conf

access to dn.children="ou=regular,ou=users,c=cl,dc=spi,dc=net"
        attrs="children"
        by dn.sub="ou=admins,ou=users,c=cl,dc=spi,dc=net" manage
        by * read


So, I created an user under the admin subtree with the following DN:

uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net

To test, I'm trying to add an user with the following LDIF file:

# Teste
description: Test
dn: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: spi # Customized class
cn: Teste
sn: teste
givenName: Teste
uid: teste
url: http://mysite.com
mail: test@mysite.com
l: City
TimeZone: GMT-4
area: Gov
st: State
organization: Organization
o: SPI
preferredLanguage: en-US


However, when I try to add the user (ldapadd -x -D "uid=cl-admin,ou=admins,ou=usuarios,c=cl,dc=spi,dc=net" -W -f /tmp/test.ldif

I get the following error:

ldap_add: Insufficient access (50)
        additional info: no write access to parent


The debug output log for ACL's show me the following sequence of information:


Nov  3 12:00:47 nodo108 slapd[16629]: hdb_referrals: tag=104 target="uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net" matched="ou=regular,ou=users,c=cl,dc=spi,dc=net"
Nov  3 12:00:47 nodo108 slapd[16629]: ==> hdb_add: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_required entry (uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net), objectClass "spi"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "objectClass"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "cn"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "sn"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "givenName"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "uid"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "url"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "mail"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "l"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "timeZone"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "area"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "st"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "organization"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "o"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "preferredLanguage"
Nov  3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "structuralObjectClass"
Nov  3 12:00:47 nodo108 slapd[16629]: slap_queue_csn: queing 0xb6603a32 20101103140047.629760Z#000000#000#000000
Nov  3 12:00:47 nodo108 slapd[16629]: bdb_dn2entry("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net")
Nov  3 12:00:47 nodo108 slapd[16629]: => hdb_dn2id("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net")
Nov  3 12:00:47 nodo108 slapd[16629]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
Nov  3 12:00:47 nodo108 slapd[16629]: => access_allowed: add access to "ou=regular,ou=users,c=cl,dc=spi,dc=net" "children" requested
Nov  3 12:00:47 nodo108 slapd[16629]: => dn: [1] ou=regular,ou=users,c=cl,dc=spi,dc=net
Nov  3 12:00:47 nodo108 slapd[16629]: => dn: [3] 
Nov  3 12:00:47 nodo108 slapd[16629]: => acl_get: [4] attr children
Nov  3 12:00:47 nodo108 slapd[16629]: => acl_mask: access to entry "ou=regular,ou=users,c=cl,dc=spi,dc=net", attr "children" requested
Nov  3 12:00:47 nodo108 slapd[16629]: => acl_mask: to all values by "uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net", (=0) 
Nov  3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: cn=admin,dc=spi,dc=net
Nov  3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: *
Nov  3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] applying read(=rscxd) (stop)
Nov  3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] mask: read(=rscxd)
Nov  3 12:00:47 nodo108 slapd[16629]: => slap_access_allowed: add access denied by read(=rscxd)
Nov  3 12:00:47 nodo108 slapd[16629]: => access_allowed: no more rules
Nov  3 12:00:47 nodo108 slapd[16629]: hdb_add: no write access to parent
Nov  3 12:00:47 nodo108 slapd[16629]: send_ldap_result: conn=26 op=1 p=3
Nov  3 12:00:47 nodo108 slapd[16629]: send_ldap_result: err=50 matched="" text="no write access to parent"
Nov  3 12:00:47 nodo108 slapd[16629]: send_ldap_response: msgid=2 tag=105 err=50
Nov  3 12:00:47 nodo108 slapd[16629]: conn=26 op=1 RESULT tag=105 err=50 text=no write access to parent


I tried a lot of different solutions, but nothing seels to work. Anybody have a clue about how to fix it?

--
Eduardo Santos
Analista de Sistemas

http://eduardosan.wordpress.com
http://twitter.com/eduardosan