Thanks Harry and Markus.
I did not read the page until the end :( Yesterday before I went to sleep the order thing (A firewall works this way too) came into my mind. I wanted to check it today. I moved the access rule up to 3rd place and I even removed all the by 'dn="cn=admin,dc=example,dc=com"' write rules to get rid of the warnings with slapacl. The output of slapacl is: # slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf authcDN: "cn=my entry,ou=people,dc=example,dc=com" entry: read(=rscxd) children: read(=rscxd) ou=abk1: read(=rscxd) objectClass=organizationalUnit: read(=rscxd) objectClass=top: read(=rscxd) structuralObjectClass=organizationalUnit: read(=rscxd) entryUUID=54995398-f44b-1031-87a4-17089ecb7055: read(=rscxd) creatorsName=cn=admin,dc=example,dc=com: read(=rscxd) createTimestamp=20130116171011Z: read(=rscxd) entryCSN=20130116171011.288097Z#000000#000#000000: read(=rscxd) modifiersName=cn=admin,dc=example,dc=com: read(=rscxd) modifyTimestamp=20130116171011Z: read(=rscxd)
Strange that the children are still read. If I change dn.children to dn.subtree then everything changes to write but still no insert or delete. # slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf authcDN: "cn=my entry,ou=people,dc=example,dc=com" entry: write(=wrscxd) children: write(=wrscxd) ou=Beauty: write(=wrscxd) objectClass=organizationalUnit: write(=wrscxd) objectClass=top: write(=wrscxd) structuralObjectClass=organizationalUnit: write(=wrscxd) entryUUID=54995398-f44b-1031-87a4-17089ecb7055: write(=wrscxd) creatorsName=cn=admin,dc=example,dc=com: write(=wrscxd) createTimestamp=20130116171011Z: write(=wrscxd) entryCSN=20130116171011.288097Z#000000#000#000000: write(=wrscxd) modifiersName=cn=admin,dc=example,dc=com: write(=wrscxd) modifyTimestamp=20130116171011Z: write(=wrscxd)
I still cannot add or remove address-book entries but I know that I am on the right way. Perhaps there is some caching somewhere that is not cleaned when slapd is restarted. I will read the page to the end this time :)
Op 28-01-13 10:13, harry.jede@arcor.de schreef:
Hi Marco,
reread http://www.openldap.org/doc/admin24/access-control.html may be more then one time ;-)
In short: exchange rule 4 & 5
Remenber that ordering by tree (DN in what clause) is important.