Re: Does userattr="parent[1].attribute#LDAPURL" work ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi again,

since my first post may be complex, I made a much simpler sample, with
standard objects.

I created a root suffix 'o=bug'

with two ACI:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="parent[1].description#LDAPURL";)

Then I added a user, uid=testuser,o=bug

Then, an organizationalUnit, ou=testparentobject,o=bug
with the description: ldap:///o=bug??sub?(uid=testuser)

According the ACIs, testuser dhould be able to modify ou=testparentobject
and to create child objects under it.

But he only can modify it.

I don't find where I made a mistake.

I join you my LDIF files and LDAP commands.


Thank you for your help

Fran?ois



Here are the LDIF files :
---------- o=bug dump -------
dn: o=bug
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access";
allow (read, search, compare)userdn = "ldap:///anyone";;)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="parent[1].description#LDAPURL";)
o: bug
objectClass: top
objectClass: organization

dn: uid=testuser,o=bug
uid: testuser
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword: toto

dn: ou=testparentobject,o=bug
ou: testparentobject
description: ldap:///o=bug??sub?(uid=testuser)
objectClass: top
objectClass: organizationalunit




--------- modification command ----------
$ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif
modifying entry "ou=testparentobject,o=bug"
$

--------- creation command -----------
$ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif
adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
ldap_add: Insufficient access (50)
        additional info: Insufficient 'add' privilege to add the entry
'ou=testchildobject,ou=testparentobject,o=bug'.
$




---------- modification LDIF file ----------------
dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789




---------- creation LDIF file --------------
dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060925/03b755c9/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux