[389-users] Fwd: Allow to add a user (userpassword)
Mark Reynolds
mareynol at redhat.com
Mon Sep 24 18:52:18 UTC 2012
Alberto,
This works me:
aci: (targetattr = "*") (target = "ldap:///ou=People,dc=example,dc=com")
(version 3.0;acl "TEST";allow (compare,write,add)
(userdn = "ldap:///uid=mreynolds, ou=People,dc=example,dc=com");)
You are missing "target", but I thought that didn't matter. So, there
could also be other conflicting DENY aci's that are causing the issue.
So you should look at the other aci's in the tree. If you still don't
find anything, you can turn on "access control list processing" error
logging which should tell you which aci is triggering the DENY:
ldapmodify....
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 128
Set it back to zero when done.
But this significantly impacts the server performance, so only do it on
a non-production server.
Regards,
Mark
On 09/18/2012 12:43 PM, Alberto Viana wrote:
> Anyone?
>
> ---------- Forwarded message ----------
> From: *Alberto Viana* <albertocrj at gmail.com <mailto:albertocrj at gmail.com>>
> Date: Thu, Sep 13, 2012 at 5:19 PM
> Subject: Allow to add a user (userpassword)
> To: "General discussion list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>>
>
>
> How Can allow a normal user from my directory (for example
> uid=my.appuid,ou=test,dc=test,dc=com ) to add an user entry in the
> tree? (Remebering that I dont want this user as a administrator, I
> just want that user to be able to add users into a specific subtree in
> my directory). Is that possible?
>
>
> ldapmodify -a -c -h 389_ds_host -D
> "uid=my.appuid,ou=test,dc=test,dc=com" -w - -f test.ldif
>
> adding new entry uid=testando,ou=test,dc=test,dc=com
> ldap_add: Insufficient access
> ldap_add: additional info: Insufficient 'add' privilege to the
> 'userPassword' attribute
>
>
> I tried this kind of ACI:
>
> dn: ou=test,dc=test,dc=com
> changetype: modify
> add: aci
> aci: (targetattr="userPassword")(version 3.0;aci "shib writer";allow
> (add,write,compare)
> userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com";)
>
> or
>
> aci: (targetattr="*")(version 3.0;aci "shib writer";allow
> (add,write,compare)
> userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com";)
>
> Thanks
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Mark Reynolds
Red Hat, Inc
mreynolds at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120924/5981a3a1/attachment.html>
More information about the 389-users
mailing list