Anyone?

---------- Forwarded message ----------
From: Alberto Viana <albertocrj@gmail.com>

Date: Thu, Sep 13, 2012 at 5:19 PM
Subject: Allow to add a user (userpassword)
To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>



How Can allow a normal user from my directory (for example*
uid=my.appuid,ou=test,dc=test,dc=com*) to add an user entry in the tree? (Remebering that I dont want this user as a administrator, I just want that user to be able to add users into a specific subtree in my directory). Is that possible?



ldapmodify -a -c -h 389_ds_host -D "uid=my.appuid,ou=test,dc=test,dc=com" -w - -f test.ldif
adding new entry uid=testando,ou=test,dc=test,dc=com

ldap_add: Insufficient accessldap_add: additional info: Insufficient 'add' privilege to the 'userPassword' attribute

I tried this kind of ACI:


dn: ou=test,dc=test,dc=comchangetype: modifyadd: aciaci: (targetattr="userPassword")(version 3.0;aci "shib writer";allow (add,write,compare) userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com"


or*
aci: (targetattr="*")(version 3.0;aci "shib writer";allow (add,write,compare) userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com"

Thanks


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Alberto,



This works me:



aci: (targetattr = "*") (target =
"ldap:///ou=People,dc=example,dc=com") (version 3.0;acl "TEST";allow
(compare,write,add)

(userdn = "ldap:///uid=mreynolds, ou=People,dc=example,dc=com")



You are missing "target", but I thought that didn't matter.* So,
there could also be other conflicting DENY aci's that are causing
the issue.* So you should look at the other aci's in the tree.* If
you still don't find anything, you can turn on "access control list
processing" error logging which should tell you which aci is
triggering the DENY:



ldapmodify....

dn: cn=config

changetype: modify

replace: nsslapd-errorlog-level

nsslapd-errorlog-level: 128



Set it back to zero when done.



But this significantly impacts the server performance, so only do it
on a non-production server.



Regards,

Mark



On 09/18/2012 12:43 PM, Alberto Viana wrote:
Anyone?



---------- Forwarded message ----------

From: Alberto Viana <albertocrj@gmail.com>

Date: Thu, Sep 13, 2012 at 5:19 PM

Subject: Allow to add a user (userpassword)

To: "General discussion list for the 389 Directory server
project." <389-users@lists.fedoraproject.org>





How Can allow a normal user from my directory (for example*
uid=my.appuid,ou=test,dc=test,dc=com*) to add an user entry in
the tree? (Remebering that I dont want this user as a
administrator, I just want that user to be able to add users
into a specific subtree in my directory). Is that possible?







ldapmodify -a -c -h 389_ds_host -D
"uid=my.appuid,ou=test,dc=test,dc=com" -w - -f test.ldif



adding new entry uid=testando,ou=test,dc=test,dc=com


ldap_add: Insufficient access
ldap_add: additional info: Insufficient 'add' privilege
to the 'userPassword' attribute







I tried this kind of ACI:




dn: ou=test,dc=test,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0;aci "shib
writer";allow (add,write,compare)
userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com"




or*



aci: (targetattr="*")(version 3.0;aci "shib writer";allow
(add,write,compare)
userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com"




Thanks








--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Mark Reynolds
Red Hat, Inc
mreynolds@redhat.com


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users