Re: Does userattr="parent[1].attribute#LDAPURL" work ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi again,

since my first post may be complex, I made a much simpler sample, with standard objects.

I created a root suffix 'o=bug'

with two ACI:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";)

Then I added a user, uid=testuser,o=bug

Then, an organizationalUnit, ou=testparentobject,o=bug
with the description: ldap:///o=bug??sub?(uid=testuser)

According the ACIs, testuser dhould be able to modify ou=testparentobject and to create child objects under it.

But he only can modify it.

I don't find where I made a mistake.

I join you my LDIF files and LDAP commands.


Thank you for your help

François



Here are the LDIF files :
---------- o=bug dump -------
dn: o=bug
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";)
o: bug
objectClass: top
objectClass: organization

dn: uid=testuser,o=bug
uid: testuser
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword: toto

dn: ou=testparentobject,o=bug
ou: testparentobject
description: ldap:///o=bug??sub?(uid=testuser)
objectClass: top
objectClass: organizationalunit




--------- modification command ----------
$ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif
modifying entry "ou=testparentobject,o=bug"
$

--------- creation command -----------
$ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif
adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
ldap_add: Insufficient access (50)
        additional info: Insufficient 'add' privilege to add the entry 'ou=testchildobject,ou=testparentobject,o=bug'.
$




---------- modification LDIF file ----------------
dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789




---------- creation LDIF file --------------
dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject






--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux