LDAP Access control
Darryl Moore
darryl-90a536wCiRb3fQ9qLvQP4Q at public.gmane.org
Tue Jul 7 14:20:02 UTC 2009
Hi all,
By chance does anyone on this list have any experience with LDAP?
I've installed a LDAP server on my network against which all my users
can authenticate. They can even change their passwords via GUI or CLI
without any issue.
What I am trying to do now is allow each one of them to have an address
book in their subtree.
I created a subtree in each authentication relm that looks like this
ou=Contacts,uid=user,ou=People,dc=domain,dc=ca
Their is no problem with the rootdn adding entries below this, but I am
unable to get the user to be able to. In fact I can't seem to allow the
user to write anywhere. Even with the lone access rule:
access to * by * write
in the /etc/ldap/ldap.conf file (and yes I restart slapd everytime I
change this file)
I beleive the correct access rule for what I want is:
access to dn.children="ou=People,dc=domain,dc=ca" by self write
but that doesn't work either and I figured I'd ruduce the number of
unknowns by trying to give global write permission first.
A commandline test to create an entry yields this result:
darryl at bison:~$ ldapadd -w ${NETPASS} -x -D
"uid=darryl,ou=People,dc=domain,dc=ca" -f ~/tmp
adding new entry
"cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca"
ldap_add: Insufficient access (50)
additional info: no write access to parent
~/tmp looks like this:
dn: cn=test_test1,ou=Contacts,uid=darryl,ou=People,dc=domain,dc=ca
cn: test_test1
objectClass: inetOrgPerson
sn: testestestets
It's not an authentication issue because if NETPASS is wrong it returns:
ldap_bind: Invalid credentials (49)
Anyone have any ideas? I'm stumped! There are some LDAP mail lists I've
skulked around but have not found anything. The next step I guess is to
register with them and ask directly there.
cheers,
darryl
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list