Hi. I have meta-backend o=vega and two databases o=vega-main and ou=devel on the same server. I'd configure meta-backend o=vega with
suffixmassage "o=vega" "o=vega-main" and suffixmassage "ou=devel,ou=sites,o=vega" "ou=devel" I'd like to write acls per database, but provide DIT as single suffix o=vega. Members of cn=sysadmins,ou=groups,o=vega (really cn=sysadmins,ou=groups,o=vega-main) should grant write permissions to ou=devel,ou=sites,o=vega (really ou=devel). But they grant only read to o=vega. Where am I wrong? My slapd.conf: database meta suffix "o=vega" uri "ldap://ldap.irka.int.masterhost.ru/ou=devel,ou=sites,o=vega"; suffixmassage "ou=devel,ou=sites,o=vega" "ou=devel" rootdn "cn=ldapadm,o=vega" rootpw X uri "ldap://ldap.irka.int.masterhost.ru/o=vega"; suffixmassage "o=vega" "o=vega-main" database hdb suffix ou=devel rootdn "cn=ldapadm,ou=devel" rootpw XX directory /var/db/openldap-data/devel checkpoint 32 8 access to dn.sub="ou=devel" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,ou=vega-main" write by * read database hdb suffix o=vega-main rootdn "cn=ldapadm,o=vega-main" rootpw XXX directory /var/db/openldap-data/vega-main checkpoint 32 8 access to dn.sub="ou=SUDOers,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.sub="ou=mail,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.regex="ou=.*,ou=groups,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.sub="ou=groups,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.sub="ou=users,o=vega-main" attrs=userPassword by self write by anonymous auth by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write access to dn.sub="ou=users,o=vega-main" attrs=mail by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.sub="ou=users,o=vega-main" [EMAIL PROTECTED],@inetLocalMailRecipient,@intraPerson,cn by self write by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.sub="ou=users,o=vega-main" by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by users read access to dn.sub="o=vega-main" by anonymous auth by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write by * read My openldap version 2.4.11 on FreeBSD 7.0-amd64. -- Irina Shetukhina
