Hi everyone,

I'm facing an ACL problem for a long time, and I got to the point that I'm out of ideas. The problem is related to write in a specific branch of DIT. My DIT has the following hierachy

dc=spi,dc=net -> c=cl -->ou=users --->ou=regular --->ou=admin

The ACL should allow the users under the admin subtree to write in the regular subtree (admin and regular users model).

SO, I have the following ACL includes in slapd.conf:

include /etc/ldap/acls/acl.conf.default include /etc/ldap/acls/acl.conf

The ACL files have the following lines:

# /etc/ldap/acls/acl.conf.default

# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=spi,dc=net" write by anonymous auth by self write by * none

# Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read

# The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=spi,dc=net" write by * read

# /etc/ldap/acls/acl.conf

access to dn.children="ou=regular,ou=users,c=cl,dc=spi,dc=net" attrs="children" by dn.sub="ou=admins,ou=users,c=cl,dc=spi,dc=net" manage by * read

So, I created an user under the admin subtree with the following DN:

uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net

To test, I'm trying to add an user with the following LDIF file:

# Teste description: Test dn: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: spi # Customized class cn: Teste sn: teste givenName: Teste uid: teste url: http://mysite.com mail: test@mysite.com l: City TimeZone: GMT-4 area: Gov st: State organization: Organization o: SPI preferredLanguage: en-US

However, when I try to add the user (ldapadd -x -D "uid=cl-admin,ou=admins,ou=usuarios,c=cl,dc=spi,dc=net" -W -f /tmp/test.ldif

I get the following error:

ldap_add: Insufficient access (50) additional info: no write access to parent

The debug output log for ACL's show me the following sequence of information:

Nov 3 12:00:47 nodo108 slapd[16629]: hdb_referrals: tag=104 target="uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net" matched="ou=regular,ou=users,c=cl,dc=spi,dc=net" Nov 3 12:00:47 nodo108 slapd[16629]: ==> hdb_add: uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_required entry (uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net), objectClass "spi" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "objectClass" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "cn" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "sn" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "givenName" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "uid" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "url" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "mail" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "l" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "timeZone" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "area" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "st" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "organization" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "o" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "preferredLanguage" Nov 3 12:00:47 nodo108 slapd[16629]: oc_check_allowed type "structuralObjectClass" Nov 3 12:00:47 nodo108 slapd[16629]: slap_queue_csn: queing 0xb6603a32 20101103140047.629760Z#000000#000#000000 Nov 3 12:00:47 nodo108 slapd[16629]: bdb_dn2entry("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net") Nov 3 12:00:47 nodo108 slapd[16629]: => hdb_dn2id("uid=test,ou=regular,ou=users,c=cl,dc=spi,dc=net") Nov 3 12:00:47 nodo108 slapd[16629]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Nov 3 12:00:47 nodo108 slapd[16629]: => access_allowed: add access to "ou=regular,ou=users,c=cl,dc=spi,dc=net" "children" requested Nov 3 12:00:47 nodo108 slapd[16629]: => dn: [1] ou=regular,ou=users,c=cl,dc=spi,dc=net Nov 3 12:00:47 nodo108 slapd[16629]: => dn: [3] Nov 3 12:00:47 nodo108 slapd[16629]: => acl_get: [4] attr children Nov 3 12:00:47 nodo108 slapd[16629]: => acl_mask: access to entry "ou=regular,ou=users,c=cl,dc=spi,dc=net", attr "children" requested Nov 3 12:00:47 nodo108 slapd[16629]: => acl_mask: to all values by "uid=cl-admin,ou=admins,ou=users,c=cl,dc=spi,dc=net", (=0) Nov 3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: cn=admin,dc=spi,dc=net Nov 3 12:00:47 nodo108 slapd[16629]: <= check a_dn_pat: * Nov 3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] applying read(=rscxd) (stop) Nov 3 12:00:47 nodo108 slapd[16629]: <= acl_mask: [2] mask: read(=rscxd) Nov 3 12:00:47 nodo108 slapd[16629]: => slap_access_allowed: add access denied by read(=rscxd) Nov 3 12:00:47 nodo108 slapd[16629]: => access_allowed: no more rules Nov 3 12:00:47 nodo108 slapd[16629]: hdb_add: no write access to parent Nov 3 12:00:47 nodo108 slapd[16629]: send_ldap_result: conn=26 op=1 p=3 Nov 3 12:00:47 nodo108 slapd[16629]: send_ldap_result: err=50 matched="" text="no write access to parent" Nov 3 12:00:47 nodo108 slapd[16629]: send_ldap_response: msgid=2 tag=105 err=50 Nov 3 12:00:47 nodo108 slapd[16629]: conn=26 op=1 RESULT tag=105 err=50 text=no write access to parent

I tried a lot of different solutions, but nothing seels to work. Anybody have a clue about how to fix it?