On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:
> Rich Megginson wrote:
>> Craig White wrote:
>>> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
>>>> I have users personal address books as an ou under their accounts...
>>>> but when I try to add an entry, I am blocked...
>>>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
>>>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
>>>> nentries=0 etime=0
>>>> I need an ACi that allows each uid account to read/write entries in
>>>> under their own accounts and the only ACi's I have are the ones
>>> It would be great if I could get some help here.
>> The ACL Summary error log level can provide some clues.
>>> I know that in OpenLDAP, ACL's are processed top down and so I'm
>>> at the ACi's that would govern here.
>>> dc=example,dc=com has the following ACI (the second one after anonymous
>>> (targetattr = "carLicense ||description ||displayName
>>> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress
>>> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
>>> ||postOfficeBox ||postalAddress ||postalCode
>>> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress
>>> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
>>> ||telexNumber ||title ||userCertificate ||userPassword
>>> ||userSMIMECertificate ||x500UniqueIdentifier")
>>> (version 3.0;
>>> acl "Enable self write for common attributes";
>>> allow (write)
>>> (userdn = "ldap:///self")
>>> and I added one more (it's on the bottom of the list - #7)...
>>> (targetattr = "*") (version 3.0;acl "Personal Address
>>> (write)(userdn = "ldap:///self");)
> Have you tried the "add" right, to allow users to add entries under
> their entries?
> I'm not sure if self will work here - you might have to use a macro ACI
> in which the uid part of the target matches the uid part of the subject
> - see
I'm not sure if 'self' will work here either...nothing seems to work.
This is the ACL that works for me in OpenLDAP...
by dn.exact,expand="uid=$1,ou=People,dc=example,dc=com" write
by * none
This looks like a macro ACI. Have you tried a macro ACI in conjunction
with the "add" right?
I am hesitant to fool with the access control while there are people
working on the network but the above is exactly what I want to work in
Fedora-directory-users mailing list