Anyone got a clue? Thanks. -Glenn. ---------- Original Message ----------- From: "Glenn" <glenn@xxxxxxxxxxxxxx> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Sent: Wed, 5 Dec 2007 11:07:00 -0500 Subject: Re: ACIs Don't Work? > ---------- Original Message ----------- > From: Rich Megginson <rmeggins@xxxxxxxxxx> > To: "General discussion list for the Fedora Directory server > project." <fedora-directory-users@xxxxxxxxxx> > Sent: Wed, 05 Dec 2007 08:18:53 -0700 Subject: Re: [Fedora-directory- > users] ACIs Don't Work? > > > Glenn wrote: > > > I'm trying to establish an ACI for directory administrators in Fedora > > > Directory 1.0.3. In the directory console, I right-click the OU and > > > select "Set Access Permissions". I visit each tab in the visual editor > and > > > enter the correct users, rights, targets, hosts and times. After saving, > the > > > OU shows one ACI. Then I log in to the web-based Directory Server > Gateway as > > > one of the users specified in the ACI, but I am unable to edit another > user's > > > directory attributes. The error message is: > > > > > > "An error occurred while contacting the LDAP server. > > > (Insufficient access - Insufficient 'write' privilege to the 'roomNumber' > > > attribute of entry 'uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu'. ) > > > > > > You do not have sufficient privileges to perform the operation." > > > > > > I checked all the inherited ACIs on the OU, and no rights are denied. > What > > > else should I look at? Thanks. -Glenn. > > > > > It would be very helpful if you could post the acis you have: > > ldapsearch -x -D "cn=directory manager" -w password -s sub -b > > "dc=your, dc=suffix" "aci=*" aci > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------- End of Original Message ------- > > Rich - I'm posting the acis below. I tried to remove extra carriage > returns for readability. Thanks. -Glenn. > > # extended LDIF > # > # LDAPv3 > # base <dc=txwes,dc=edu> with scope sub > # filter: aci=* > # requesting: aci > # > # txwes.edu > dn: dc=txwes,dc=edu > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous > access"; allow (read, search, compare)userdn="ldap:///anyone";;) aci: > (targetattr="carLicense ||description ||displayName > ||facsimileTelephoneNumber ||homePhone ||homePostalAddress||initials > ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > ||postOfficeBox ||postalAddress ||postalCode > ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress > ||roomNumber ||secretary ||seeAlso ||st||street ||telephoneNumber > ||telexNumber ||title ||userCertificate ||userPassword > ||userSMIMECertificate||x500UniqueIdentifier")(version 3.0; acl > "Enable self write for common attributes"; allow (write) > userdn="ldap:///self";;) aci: (targetattr="*")(version 3.0; acl > "Configuration Administrator"; allow > (all) userdn="ldap:///uid=admin,ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr ="*") > (version 3.0;acl "Configuration Administrators Group";allow (all) > (groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, > ou=TopologyManagement, o=NetscapeRoot");) aci: (targetattr ="*") > (version 3.0;acl "Directory Administrators Group";allow > (all) (groupdn = "ldap:///cn=Directory Administrators, dc=txwes, > dc=edu");) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; > allow (all)groupdn = "ldap:///cn=slapd-sibelius, cn=Fedora Directory > Server, cn=Server Group, cn=sibelius.txwes.edu, ou=txwes.edu, > o=NetscapeRoot";) > # People, txwes.edu > dn: ou=People,dc=txwes,dc=edu > aci: (targetattr = "*") (target = "ldap:///ou=People,dc=txwes, > dc=edu") > (version 3.0;acl "ICT Admin";allow (all)(userdn = > "ldap:///uid=breese,ou=Main,ou=People,dc=txwes,dc=edu"; or userdn = > "ldap:///uid=rboone,ou=Main,ou=People,dc=txwes,dc=edu"; or userdn = > "ldap:///uid=cchiles,ou=Main,ou=People,dc=txwes,dc=edu"; or userdn = > "ldap:///uid=pirwinsky,ou=Main,ou=People,dc=txwes,dc=edu"; or userdn > = "ldap:///uid=sserrano,ou=Main,ou=People,dc=txwes,dc=edu";) and > (ip="10.100.2.*" or ip="10.100.2.21");) > # Law, People, txwes.edu > dn: ou=Law,ou=People,dc=txwes,dc=edu > aci: (targetattr = "*") (version 3.0;acl "ICT-Law Admin";allow (all) > (userdn = "ldap:///uid=BDaniel,ou=Law,ou=People,dc=txwes,dc=edu"; or > userdn = "ldap:///uid=jseifert,ou=Law,ou=People,dc=txwes,dc=edu"; or > user dn = "ldap:///uid=gmcguire,ou=Law,ou=People,dc=txwes,dc=edu";) > and > (ip="192.168.168.*" or ip="10.100.8.*" or ip="10.100.9.*" or > ip="10.100.10.*" or ip="10.100.11.*" or ip="192.168.10.*" or > ip="192.168.20.*" or ip="192.168.30.*");) > # search result > search: 2 > result: 0 Success > # numResponses: 4 > # numEntries: 3 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
