Re: Fwd: Allow to add a user (userpassword)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alberto,

This works me:

aci: (targetattr = "*") (target = "ldap:///ou=People,dc=example,dc=com") (version 3.0;acl "TEST";allow (compare,write,add)
(userdn = "ldap:///uid=mreynolds, ou=People,dc=example,dc=com");)

You are missing "target", but I thought that didn't matter.  So, there could also be other conflicting DENY aci's that are causing the issue.  So you should look at the other aci's in the tree.  If you still don't find anything, you can turn on "access control list processing" error logging which should tell you which aci is triggering the DENY:

ldapmodify....
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 128

Set it back to zero when done.

But this significantly impacts the server performance, so only do it on a non-production server.

Regards,
Mark

On 09/18/2012 12:43 PM, Alberto Viana wrote:
Anyone?

---------- Forwarded message ----------
From: Alberto Viana <albertocrj@xxxxxxxxx>
Date: Thu, Sep 13, 2012 at 5:19 PM
Subject: Allow to add a user (userpassword)
To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx>


How Can allow a normal user from my directory (for example  uid=my.appuid,ou=test,dc=test,dc=com ) to add an user entry in the tree? (Remebering that I dont want this user as a administrator, I just want that user to be able to add users into a specific subtree in my directory). Is that possible?


ldapmodify -a -c -h 389_ds_host -D "uid=my.appuid,ou=test,dc=test,dc=com" -w - -f test.ldif

adding new entry uid=testando,ou=test,dc=test,dc=com
ldap_add: Insufficient access
ldap_add: additional info: Insufficient 'add' privilege to the 'userPassword' attribute


I tried this kind of ACI:

dn: ou=test,dc=test,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword")(version 3.0;aci "shib writer";allow (add,write,compare) userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com";)

or 

aci: (targetattr="*")(version 3.0;aci "shib writer";allow (add,write,compare) userdn="ldap:///uid=my.appuid,ou=test,dc=test,dc=com";)

Thanks



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

-- 
Mark Reynolds
Red Hat, Inc
mreynolds@xxxxxxxxxx
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux