I have an issue with the ACL configuration of an LDAP server (slapd). The following ACL entry is active as the first rule that applies:
{0}to dn.subtree="ou=some,ou=where,ou=beneath,dc=the,dc=rain,dc=bow" attrs=entry,children by users write
Now the strange thing that happens is that given that rule I can add an entry to the respective DN but if I want to modify it with the very same user, then I get
0x32 (LDAP_INSUFFICIENT_ACCESS)
Can someone give me a hint what the problem could be?
Best Answer
If you want to allow the modification of the whole entry, you need to remove the
attrs=
option completely.I think your'e misunderstanding what the
attrs=entry
does. It doesnt let you modify the whole entry. Theentry
attribute only grants permission to the entry itself (not its attribtes), which basically only allows you to delete it. Thechildren
attribute is what is letting you create new children under that entry. But as soon as the child is created, you cant modify it because it falls under thedn.subtree
match, and your ACL forbids modification of anything other than deleting the entry and creating children.From http://www.openldap.org/doc/admin24/access-control.html:
As mentioned, the solution is to remove the
attrs
option. This makes the ACL default to everything, so when you specifywrite
, it lets you write to everything on that entry.