Hi,
here is my scenario:
dn: dc=mycompany,dc=hu
dn: ou=ABC Customer,dc=mycompany,dc=hu +- dn: cn=group1abc,ou=ABC Customer,dc=mycompany,dc=hu +- dn: cn=group2abc,ou=ABC Customer,dc=mycompany,dc=hu +- dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu +- dn: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu +- dn: uid=user2,ou=ABC Customer,dc=mycompany,dc=hu
dn: ou=XYZ Customer,dc=mycompany,dc=hu +- dn: cn=group1xyz,ou=XYZ Customer,dc=mycompany,dc=hu +- dn: cn=group2xyz,ou=XYZ Customer,dc=mycompany,dc=hu +- dn: uid=user1,ou=XYZ Customer,dc=mycompany,dc=hu +- dn: uid=user2,ou=XYZ Customer,dc=mycompany,dc=hu ...
the cn=groupabcadmin,ou=ABC Customer node above looks like this:
dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu objectClass: groupOfNames cn: groupabcadmin member: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu
I'ld like to set up, that the all member of cn=groupabcadmin group, now the "uid=user1,ou=ABC Customer",... user can write the db (add, modify, delete) under his own OU, specially the ou=ABC Customer,dc=mycompany,dc=hu.
I've found this example: http://www.openldap.org/faq/data/cache/52.html
Now the config looks like this:
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=mycompany,dc=hu olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth olcLastMod: TRUE
The uid=user1 user password is right, I can read with it from DB. But when I would like to add a new user, I've got:
ldap_add: Insufficient access (50) additional info: no write access to parent
and in log:
Oct 11 17:03:16 open-ldap slapd[25821]: mdb_dn2entry("uid=user2,ou=abc customer,dc=mycompany,dc=hu") Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_dn2id("uid=user2,ou=abc customer,dc=mycompany,dc=hu") Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_entry_decode: Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_entry_decode Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: add access to "ou=ABC Customer,dc=mycompany,dc=hu" "children" requested Oct 11 17:03:16 open-ldap slapd[25821]: => dn: [2] Oct 11 17:03:16 open-ldap slapd[25821]: => acl_get: [3] attr children Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: access to entry "ou=ABC Customer,dc=mycompany,dc=hu", attr "children" requested Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: to all values by "uid=user1,ou=abc customer,dc=mycompany,dc=hu", (=0) Oct 11 17:03:16 open-ldap slapd[25821]: <= check a_dn_pat: * Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] applying read(=rscxd) (stop) Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] mask: read(=rscxd) Oct 11 17:03:16 open-ldap slapd[25821]: => slap_access_allowed: add access denied by read(=rscxd) Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: no more rules Oct 11 17:03:16 open-ldap slapd[25821]: mdb_add: no write access to parent Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: conn=1208 op=1 p=3 Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: err=50 matched="" text="no write access to parent" Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_response: msgid=2 tag=105 err=50 Oct 11 17:03:16 open-ldap slapd[25821]: conn=1208 op=1 RESULT tag=105 err=50 text=no write access to parent
What do I miss?
Thanks,
a.