I have
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
and group of admins for it:
dn: cn=people-admins,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: admins of people group
uniqueMember: uid=admin1,ou=people,dc=example,dc=com
and I add such rules to allow people-admins
add/delete/modify users in people
groups
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none
olcAccess: to dn.one="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.base="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.children="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by * none
then I try to add new user to people
group using credentials of admin1, and got this:
ldapadd -x -H ldap://127.0.0.1:3000/ -D "uid=admin1,ou=people,dc=example,dc=com" -W
dn: uid=test1,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
uid: test1
sn: test
givenName: test1
cn: test test1
displayName: Test1
userPassword: test1
adding new entry "uid=test1,ou=people,dc=example,dc=com"
ldap_add: Insufficient access (50)
additional info: no write access to parent
Here similar question, but it receive wrong answer, because of dn.entry
does not exists in openldap.
Best Answer
The problem was that
group.exact
not work withgroupOfUniqueNames
. I solved it by changing this rule:to this rule: