Hi,
On 07/07/2009 17:13, Darryl Moore wrote:
Hi all,
I've installed a LDAP server on my network against which all my users can authenticate. They can even change their passwords via GUI or CLI without any issue.
What I am trying to do now is allow each one of them to have an address book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am unable to get the user to be able to. In fact I can't seem to allow the user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I change this file)
I presume you mean slapd.conf file, not ldap.conf.
When testing this, make sure to put this rule as the *first* access rule in the slapd.conf file.
Order is important in ACLs, since the first matching rule will apply. So if your "access to * by * write" is not the first, it probably is never reached.
I beleive the correct access rule for what I want is: access to dn.children="ou=People,dc=domain,dc=ca" by self write
A quick excerpt from the admin guide:
To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute.
Be careful of "self" as well, it only represents the current user's entry, not it's children/etc.
Hope this helps, Jonathan