Nizar Montassar wrote: > Hello All, > I have added three ACI to authorize a group of permission to manage my > Service OU like this: > > # To modify attrubutes > > dn: ou=services,dc=xxx,dc=yyy > aci: (targetattr="description || cn || memberOf || nsUniqueId || > nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version > 3.0; acl "Enable user modify to change services"; allow (write, > read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy";);) > # To permit password reset > dn: ou=services,dc=xxx,dc=yyy > aci: (targetattr="userPassword || nsAccountLock || userCertificate || > nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version > 3.0; acl "Enable service password reset"; allow (write, > read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy";);) > # to allow service account creation > > dn: ou=services,dc=xxx,dc=yyy > aci: (targetattr="objectClass || description || nsUniqueId || cn || memberOf > || > nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version > 3.0; acl "Enable service admin account create"; allow (write, add, delete, > read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy";);) > > Then I have created those groups under the permission OU like this: > cn=servce_admin,ou=permissions,dc=xxx,dc=yyy > cn=servce_modify,ou=permissions,dc=xxx,dc=yyy > cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy > > And I have addedd my administrator users on those group. > > When testing to createt a service account using one of my adinistrator user > th got this error: > "Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add' > privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'. > > If I andrestend cery well this message: the ACI didn't take effect on the > service OU. > On my log files there no information, I tried th run my creation command on > debbug modeand also the same output. > > I need your help on this issue.
It would be helpful to see the entry you were trying to create. rob _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
