Our openldap has multiple groups: useradmins, agt, ib, iss, itt
The "useradmins" group has always had permissions to edit (write) to all of the groups. I recently performed a simple 'yum update' and openldap was updated. Since that time (about 3 days ago now) admins cannot write (add or change users). The error is:
Insufficient access – no write access to parent
…or, depending upon my trial/error with the slapd.conf file, sometimes I simple get:
Insufficient access
I have edited my slapd.conf file (about 500 times) trying different settings while reading online posts, docs, etc. My current slapd.conf file looks like this:
...
database bdb
suffix "dc=am5up,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN eq
index entryUUID eq
access to *
by self write
by dn="cn=admin,dc=am5up,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=useradmins,ou=groups,dc=am5up,dc=com" write
by * read
rootdn "cn=admin,dc=am5up,dc=com"
rootpw <hashed pwd>
...
My assumption is this line is wrong:
group/groupOfUniqueNames/uniqueMember="cn=useradmins,ou=groups,dc=am5up,dc=com" write
…but I have tried dozens of variations without success.
Can anyone make any suggestions?
Much appreciated.
Best Answer
So, According to the comment the group is as follows:
but according to acl:
The group should have objectClass groupOfUniqueNames and uniqueMember(whoever you want to grant access to). But the group as shown above doesn't have any, So you can do two things now:
OR
For "user/uid" this will be applicable if the memberuids are the actual uid of members, otherwise put whatever attribute you are using.