<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Alberto,<br>
<br>
This works me:<br>
<br>
aci: (targetattr = "*") (target =
<a class="moz-txt-link-rfc2396E" href="ldap:///ou=People,dc=example,dc=com">"ldap:///ou=People,dc=example,dc=com"</a>) (version 3.0;acl "TEST";allow
(compare,write,add)<br>
(userdn = <a class="moz-txt-link-rfc2396E" href="ldap:///uid=mreynolds,ou=People,dc=example,dc=com">"ldap:///uid=mreynolds, ou=People,dc=example,dc=com"</a>);)<br>
<br>
You are missing "target", but I thought that didn't matter. So,
there could also be other conflicting DENY aci's that are causing
the issue. So you should look at the other aci's in the tree. If
you still don't find anything, you can turn on "access control list
processing" error logging which should tell you which aci is
triggering the DENY:<br>
<br>
ldapmodify....<br>
dn: cn=config<br>
changetype: modify<br>
replace: nsslapd-errorlog-level<br>
nsslapd-errorlog-level: 128<br>
<br>
Set it back to zero when done.<br>
<br>
But this significantly impacts the server performance, so only do it
on a non-production server.<br>
<br>
Regards,<br>
Mark<br>
<br>
On 09/18/2012 12:43 PM, Alberto Viana wrote:
<blockquote
cite="mid:CAD5whWdQbLi5bgqLLj86rPdRGhCmhvvshv__97mc1ishiKJSFg@mail.gmail.com"
type="cite">Anyone?<br>
<br>
<div class="gmail_quote">---------- Forwarded message ----------<br>
From: <b class="gmail_sendername">Alberto Viana</b> <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:albertocrj@gmail.com">albertocrj@gmail.com</a>></span><br>
Date: Thu, Sep 13, 2012 at 5:19 PM<br>
Subject: Allow to add a user (userpassword)<br>
To: "General discussion list for the 389 Directory server
project." <<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br>
<br>
<br>
How Can allow a normal user from my directory (for example
uid=my.appuid,ou=test,dc=test,dc=com ) to add an user entry in
the tree? (Remebering that I dont want this user as a
administrator, I just want that user to be able to add users
into a specific subtree in my directory). Is that possible?
<div>
<br>
</div>
<div><br>
</div>
<div>ldapmodify -a -c -h 389_ds_host -D
"uid=my.appuid,ou=test,dc=test,dc=com" -w - -f test.ldif</div>
<div><br>
</div>
<div>adding new entry uid=testando,ou=test,dc=test,dc=com</div>
<div>
<div>
ldap_add: Insufficient access</div>
<div>ldap_add: additional info: Insufficient 'add' privilege
to the 'userPassword' attribute</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I tried this kind of ACI:</div>
<div><br>
</div>
<div>
<div>dn: ou=test,dc=test,dc=com</div>
<div>changetype: modify</div>
<div>add: aci</div>
<div>aci: (targetattr="userPassword")(version 3.0;aci "shib
writer";allow (add,write,compare)
userdn=<a class="moz-txt-link-rfc2396E" href="ldap:///uid=my.appuid,ou=test,dc=test,dc=com">"ldap:///uid=my.appuid,ou=test,dc=test,dc=com"</a>;)</div>
</div>
<div><br>
</div>
<div>or </div>
<div><br>
</div>
<div>aci: (targetattr="*")(version 3.0;aci "shib writer";allow
(add,write,compare)
userdn=<a class="moz-txt-link-rfc2396E" href="ldap:///uid=my.appuid,ou=test,dc=test,dc=com">"ldap:///uid=my.appuid,ou=test,dc=test,dc=com"</a>;)
</div>
<div><br>
</div>
<div>Thanks</div>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Mark Reynolds
Red Hat, Inc
<a class="moz-txt-link-abbreviated" href="mailto:mreynolds@redhat.com">mreynolds@redhat.com</a></pre>
</body>
</html>