LDAP Access control

[Darryl Moore]

Hi all,

By chance does anyone on this list have any experience with LDAP?

I've installed a LDAP server on my network against which all my users
can authenticate. They can even change their passwords via GUI or CLI
without any issue.

What I am trying to do now is allow each one of them to have an address
book in their subtree.

I created a subtree in each authentication relm that looks like this

ou=Contacts,uid=user,ou=People,dc=domain,dc=ca

Their is no problem with the rootdn adding entries below this, but I am
unable to get the user to be able to. In fact I can't seem to allow the
user to write anywhere. Even with the lone access rule:

access to * by * write

in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I
change this file)

I beleive the correct access rule for what I want is:
access to dn.children="ou=People,dc=domain,dc=ca" by self write

but that doesn't work either and I figured I'd ruduce the number of
unknowns by trying to give global write permission first.

A commandline test to create an entry yields this result:
darryl at bison:~$ ldapadd  -w ${NETPASS} -x -D
"uid=darryl,ou=People,dc=domain,dc=ca" -f ~/tmp
adding new entry
"cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca"
ldap_add: Insufficient access (50)
	additional info: no write access to parent


~/tmp looks like this:
dn: cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca
cn: test_test1
objectClass: inetOrgPerson
sn: testestestets



It's not an authentication issue because if NETPASS is wrong it returns:

ldap_bind: Invalid credentials (49)

Anyone have any ideas? I'm stumped! There are some LDAP mail lists I've
skulked around but have not found anything. The next step I guess is to
register with them and ask directly there.

cheers,
darryl


--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists