----- Wolf-Agathon Schaly <[email protected]> ha scritto: > Fellows > > I'm trying to grant write access to the subtree using the following access > directive > > access to dn.subtree="cn=OracleContext,ou=services,o=privat,c=de" > by dn="cn=myusername,ou=users,o=privat,c=de" write > by anonymous read > by * auth
(1) > this rule is working fine but for just one user. If I add another 'by dn' > like > > by dn="cn=yourusername,ou=users,o=privat,c=de" write > > It is working as well. WhoHoo ! > That would be fine if I wouldn't expect a huge number of users. Another > unaccepable issue would be that the ldap instance would need a restart. > That's why I decided to grant access to the dn.subtree to a group (i.e. dba) > and have tried the following directive > > access to dn.regex="(.*,)cn=OracleContext,ou=services,o=privat,c=de" > by group="cn=dba,ou=groups,o=privat,c=de" write > by anonymous read (2) > But whenever I try as a member of the dba group to write an entry underneath > the cn=OracleContext,.... I'm getting the error message > > Enter LDAP Password: > adding new entry "cn=dgdb,cn=OracleContext,ou=services,o=privat,c=de" > ldap_add: Insufficient access (50) > additional info: no write access to parent When changing from (1) to (2) you changed two portions of your ACL: the <what> and the <who>. According to your description of the problem, your intention was to change only the <who>. Wy did you change the <what>, then (going from correct to incorrect)? Use the (right) <what> from (1) and the new <who> from (2). This will solve your problem. In general, apply changes one at a time, especially when you're at a loss. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: [email protected] -----------------------------------
