I am running openldap is 2.4.40 and have applied following ACL:
olcAccess: {0}to * by self write by dn="cn=Manager,dc=sample,dc=com" write by * read olcAccess: {1}to dn.children="ou=sysUsers,dc=sample,dc=com" attrs=userPassword,shadowLastChange,description,sshPublicKey by self write by dn="cn=Manager,dc=sample,dc=com" write by anonymous auth by * none
I want to change the userPassword, shadowLastChange, description, sshPublicKey by user(sysUsers). But its giving me permission error, Doesn't write permission.
# slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com' authcDN: "" entry: read(=rscxd) children: read(=rscxd) gidNumber=1000: read(=rscxd) homeDirectory=/home/user1: read(=rscxd) : cn=user1: read(=rscxd) sshPublicKey=ssh-rsa AAAAB3Nza…cGWliPbw== root@sample.com: read(=rscxd) userPassword=****: read(=rscxd) description=test user1: read(=rscxd) : modifyTimestamp=20161025074434Z: read(=rscxd)
LDAP reponse: Insufficient access error number: 0x32 (LDAP_INSUFFICIENT_ACCESS) description: You do not have sufficient permissions to perform that operation.
I tried modifying description by user uid=user1,ou=sysUsers,dc=sample,dc=com, but failed.
uid=Manager,ou=sysUsers,dc=sample,dc=com is able to modify though.
what am I doing wrong? I suspect ACL problem?
Best Answer
First of all the ACL sequence you have given is not correct, In this case everything will be matched to first directive as it has "*" in , Which matches everything, and it will never go to the second rule of ACL.
Second, The command you have used to check the ACL permissions is incorrect, You have used:
Which is incorrect -D is the DN whose permissions are to be checked and -b is baseDN to which permissions is to be checked.
So correct command should be check self permissions:
EDIT AFTER YOUR FINDINGS: The ACL you had applied was for dn:olcDatabase={0}config,cn=config whereas it should be applied for Database DN dn:olcDatabase={2}bdb,cn=config
What I am pretty sure you are trying to do is change the description of DN:"uid=Manager,ou=sysUsers,dc=sample,dc=com" which ofcourse according to ACL any other won't be able to do except DN:"uid=Manager,ou=sysUsers,dc=sample,dc=com" itself or DN:"cn=Manager,dc=sample,dc=com".
Hope this helps! Please support the answer by marking it as helped or answered if it did.