This works me:

aci: (targetattr = "*") (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0;acl "TEST";allow (compare,write,add)
(userdn = "ldap:///uid=mreynolds, ou=People,dc=example,dc=com");)

You are missing "target", but I thought that didn't matter.  So, there could also be other conflicting DENY aci's that are causing the issue.  So you should look at the other aci's in the tree.  If you still don't find anything, you can turn on "access control list processing" error logging which should tell you which aci is triggering the DENY:

dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 128

Set it back to zero when done.

But this significantly impacts the server performance, so only do it on a non-production server.


On 09/18/2012 12:43 PM, Alberto Viana wrote:

---------- Forwarded message ----------
From: Alberto Viana <>
Date: Thu, Sep 13, 2012 at 5:19 PM
Subject: Allow to add a user (userpassword)
To: "General discussion list for the 389 Directory server project." <>

How Can allow a normal user from my directory (for example  uid=my.appuid,ou=test,dc=test,dc=com ) to add an user entry in the tree? (Remebering that I dont want this user as a administrator, I just want that user to be able to add users into a specific subtree in my directory). Is that possible?

ldapmodify -a -c -h 389_ds_host -D "uid=my.appuid,ou=test,dc=test,dc=com" -w - -f test.ldif

adding new entry uid=testando,ou=test,dc=test,dc=com
ldap_add: Insufficient access
ldap_add: additional info: Insufficient 'add' privilege to the 'userPassword' attribute

I tried this kind of ACI:

dn: ou=test,dc=test,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0;aci "shib writer";allow (add,write,compare) userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com";)


aci: (targetattr="*")(version 3.0;aci "shib writer";allow (add,write,compare) userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com";)


389 users mailing list

Mark Reynolds
Red Hat, Inc