Tomasz Chmielewski <man...@wpkg.org> writes: > I would like to allow a user to edit everything in a given subtree. > > > For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to > edit all entries which are in *,ou=Users,dc=example,dc=com. > > > I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up > access for that user, but I keep getting "insufficient access". > > onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389) > conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128 > conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE > ssf=0 > conn=5 op=0 RESULT tag=97 err=0 text= > conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com" > conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry > > > > > My rule in slapd.conf is: > > access to dn="ou=Users,dc=example,dc=com" > by dn="uid=Operator,ou=Users,dc=example,dc=com" write > by dn="uid=Operator,ou=Users,dc=example,dc=com" read
This access to rule only allows access to dn.base=ou=Users.. the write privilege includes read, compare and auth privileges so the second by clause is never checked and can be omited. You should follow http://www.openldap.org/doc/admin24/access-control.html in order to have valid and authoritative documentation. > I also tried to use: > > access to dn.subtree="ou=Users,dc=example,dc=com" > ... read man slapd.access(5) -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
