Re: How to give create/modify/delete permissions over a subtree to a GroupOfNames?

Fri, 08 Sep 2006 10:12:14 -0700 

Luis Motta Campos wrote:

  Hello, list.

  I'm facing a problem here: need to offer create/delete/modify
permissions to a groupOfNames so they can handle users, without allowing
them to handle other things (like groups, for example).

  This is the organization of my ldap now:

  + dc=company, dc=net
    + ou=people, dc=company, dc=net
      + uid=champs, ou=people, dc=company, dc=net
        - objectClass: inetOrgPerson
    + ou=groups, dc=company, dc=net
      + cn=admin, ou=groups, dc=company, dc=net
        - objectClass: groupOfNames
        - member: uid=champs, ou=people, dc=company, dc=net

  And this is the permissions configuration from the slapd.conf:

--------
access to dn.children="dc=company,dc=net"
        by group.exact="cn=admin,ou=Groups,dc=company,dc=net" write
        by self write
        by * none
--------

  This is my .ldaprc:
----
URI ldap://ldap.company.net/
BASE dc=company, dc=net
BINDDN uid=lcampos, ou=people, dc=company, dc=net
----

  I'm sure that I'm using the right user and should have access to the
permissions I've setted up:
----
champs:~/ldiff$ ldapwhoami -xW
Enter LDAP Password:
dn:uid=lcampos,ou=People,dc=company,dc=net
----

  But when I try to use my newly-granted permissions to add an user, get
this:
----
champs:~/ldiff$ ldapadd -xWf apalinkas.ldiff
Enter LDAP Password:
adding new entry "uid=palinkas, ou=People, dc=company, dc=net"
ldap_add: Insufficient access (50)
        additional info: no write access to parent
----

  Maybe someone here could help me figure out what I'm doing wrong? I'm
pretty sure that all this is because I'm doing something stupid somewhere.
your access rules give write privileges to members of group "cn=admin,ou=Groups,dc=company,dc=net", and your example data above lists "uid=champs, ou=people, dc=company, dc=net" as member of that group, but in your example command you bind as another user. Either examples in your message are inconsistent, or the software is behaving as expected. 

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    [EMAIL PROTECTED]
------------------------------------------

Reply via email to