OK, I'm answering myself just in case someone's trying to find out why this doesn't works to help me or because it may help someone in a similar situation. I had reached a tpoblem (see previous post). To make it short I just couldn't log in to an LDAP connection in Apache Directory as any user exept the rootDN vene having the ACL's seemingly working fine. Or that's what I thought... Really I could with Master Admin, and the ACL was working fine. I could make any change to dn.subtree="ou=Cuba,ou=Users,dc=example,dc=com". But I still couldn't with the users under "ou=Cuba,ou=Users,dc=example,dc=com". I was getting really mad. Then I got an idea. So I decided to make a bigger test directory.
LDIF: dn: dc=example,dc=com objectClass: extensibleObject objectClass: domain objectClass: top dc: example dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Groups dn: ou=Users,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Users dn: ou=Cuba,ou=Groups,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Cuba dn: cn=Cuba Users,ou=Cuba,ou=Groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top cn: Cuba Users uniqueMember: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com uniqueMember: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com dn: ou=Cuba,ou=Users,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Cuba dn: ou=Jamaica,ou=Groups,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Jamaica dn: ou=Administrators,ou=Users,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Administrators dn: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: John Doe sn: Doe displayName: John Doe givenName: John mail: [email protected] userPassword: 12345678 dn: cn=Michael Knight,ou=Cuba,ou=Users,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Michael Knight sn: Knight displayName: Michael Knight givenName: Michael mail: [email protected] userPassword: 12345678 dn: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Admin sn: Master displayName: Master Admin givenName: Master mail: [email protected] userPassword: admin dn: cn=Clark Kent,ou=Jamaica,ou=Users,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Clark Kent sn: Kent displayName: Clark Kent givenName: Clark mail: [email protected] userPassword: 12345678 dn: cn=Peter Parker,ou=Jamaica,ou=Users,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Peter Parker sn: Parker displayName: Peter Parker givenName: Peter mail: [email protected] userPassword: 12345678 dn: cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top cn: Administrators uniqueMember: cn=John Doe,ou=Cuba,ou=Users,dc=example,dc=com uniqueMember: cn=Master Admin,ou=Administrators,ou=Users,dc=example,dc=com I also made a change to my ACL "access to" clause ---------------------------------------------------------------------------------------------------------- ACL before: access to dn.subtree="ou=Cuba,ou=Users,dc=example,dc=com" by group/groupofuniquenames/uniquemember="cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com" write by users read ACL after: access to dn.subtree="ou=Jamaica,ou=Users,dc=example,dc=com" by group/groupofuniquenames/uniquemember="cn=Administrators,ou=Cuba,ou=Groups,dc=example,dc=com" write by users read I thought that the difference between John Doe and Master Administrator was that they belonged to different. Evidently that;s true, but the real difference was that I was trying to access an ou with a children belonging to that ou. So I changed from Cuba to Jamaica and it worked! I could log in with John Doe or Master Admin to change the data under "dn.subtree="ou=Jamaica,ou=Users,dc=example,dc=com". Anyway I'm not sure if this is absoultelly correct (feel free to correct this if it isn't), but it works for me. Regards Juan Jose Aragones
