LDAP – Grant User Write Permission to Group/OrganizationalUnit

access-control-listldapopenldap

I tried to grant cn=admin,ou=Administrators,dc=example,dc=com full write access to ou=People,dc=example,dc=com so that this admin can create (and of course read) new entries under ou=People and also can modify them (e.g. changing passwords).

My ldif file looks like

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {4}to dn.subtree="ou=People,dc=example,dc=com" by dn.exact="cn=admin,ou=Administrators,dc=example,dc=com" write

After running it with
ldapadd -Y EXTERNAL -H ldapi:/// -f permission.ldif, I just got

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Anyone can explain what is wrong here and how to do it correct? Tried quite a lot things which I found online.

Best Answer

After a few more trial and errors I found a working solution.

Take a look at this ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,ou=Administrators,dc=example,dc=com" write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="ou=People,dc=example,dc=com" by dn.exact="ccn=admin,ou=Administrators,dc=example,dc=com" write
olcAccess: {3}to * by * read

/edit: Well, this lets you create new users under ou=People but you cannot change all attributes of them.

Related Topic