Hi
I am trying to rename the (dn) entry through a normal user which is first authenticate it self, but I there is an error while renaming the dn entry
text=no write access to old parent's children
here is my slapd.conf access settings.
# Sample access control policy: access to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=mydomain,dc=com" write by * auth
access to * by self write by dn="cn=admin,dc=mydom,dc=com" write by * read
Would you please help, what I need to set?
Br.
Umar
Am Sat, 28 Dec 2013 07:21:59 +0000 schrieb Umar Draz unix.co@gmail.com:
Hi
I am trying to rename the (dn) entry through a normal user which is first authenticate it self, but I there is an error while renaming the dn entry
text=no write access to old parent's children
here is my slapd.conf access settings.
# Sample access control policy: access to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=mydomain,dc=com" write by * auth
access to * by self write by dn="cn=admin,dc=mydom,dc=com" write by * read
Would you please help, what I need to set?
The last rule allows write operations on one's own entry, but in order to modify a RDN write operations on a parent entry is required, see ldapmodrdn(1) for more information.
-Dieter
HI Dieter,
I am already doing this, using php
ldap_rename()
with admin user I can easily change the RDN e.g.
cn=Umar Draz,ou=accounts,dc=mydomain,dc=com
But if I try with Umar Draz user's login then then the user unable to change the (dn) e.g I want to change the old cn with new one.
cn=Umar Draz Khan,ou=accounts,dc=mydomain,dc=com.
So i must sure there is something missing in slapd.conf regarding access policy.
Br.
Umar
On Sat, Dec 28, 2013 at 1:58 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Sat, 28 Dec 2013 07:21:59 +0000 schrieb Umar Draz unix.co@gmail.com:
Hi
I am trying to rename the (dn) entry through a normal user which is first authenticate it self, but I there is an error while renaming the dn entry
text=no write access to old parent's children
here is my slapd.conf access settings.
# Sample access control policy: access to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=mydomain,dc=com" write by * auth
access to * by self write by dn="cn=admin,dc=mydom,dc=com" write by * read
Would you please help, what I need to set?
The last rule allows write operations on one's own entry, but in order to modify a RDN write operations on a parent entry is required, see ldapmodrdn(1) for more information.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
Am Sat, 28 Dec 2013 20:48:45 +0500 schrieb Umar Draz unix.co@gmail.com:
HI Dieter,
I am already doing this, using php
ldap_rename()
with admin user I can easily change the RDN e.g.
cn=Umar Draz,ou=accounts,dc=mydomain,dc=com
But if I try with Umar Draz user's login then then the user unable to change the (dn) e.g I want to change the old cn with new one.
cn=Umar Draz Khan,ou=accounts,dc=mydomain,dc=com.
So i must sure there is something missing in slapd.conf regarding access policy.
rootdn is not an object do any access rule, rootdn is 'root'! As I mentioned already, as user you must have write access to the parent entry.
-Dieter
On Sat, Dec 28, 2013 at 1:58 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Sat, 28 Dec 2013 07:21:59 +0000 schrieb Umar Draz unix.co@gmail.com:
Hi
I am trying to rename the (dn) entry through a normal user which is first authenticate it self, but I there is an error while renaming the dn entry
text=no write access to old parent's children
here is my slapd.conf access settings.
# Sample access control policy: access to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=mydomain,dc=com" write by * auth
access to * by self write by dn="cn=admin,dc=mydom,dc=com" write by * read
Would you please help, what I need to set?
The last rule allows write operations on one's own entry, but in order to modify a RDN write operations on a parent entry is required, see ldapmodrdn(1) for more information.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
There's no way around reading the docs and debug ACLs by looking carefully at the debug output (loglevel acl).
http://www.openldap.org/software/man.cgi?query=slapd.access
http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
Umar Draz