[OpenLDAP] Rights access error

[Craig White]

On Tue, 2010-01-26 at 19:27 +0100, Luc MAIGNAN wrote:
> Hi,
> 
> I've setup an openldap server on a F12 box. It seems to be fine, but 
> only rootdn has te ability to update entries.
> When a user tries to update an attribute he owns, he's got the error  50 
> : insufficient rights access
> 
> My slapd.conf is configured as below :
> 
> 
> access to *
>          by self write
>          by users read
>          by anonymous auth
> 
> 
> access to *
>         by dn="uid=xxx,ou=Users,dc=xxx,dc=com" write
>         by anonymous auth
>         by self write
>         by * none
> 
> 
> What is the error ? Why an authenticated user cannot update its owns 
> attributes ?
----
I tend to use RHEL / CentOS for LDAP server which is a little older but
this may be useful to you...

# allow everybody to try to bind
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn.exact="uid=Admin,ou=People,dc=example,dc=com" write
        by self write
        by anonymous auth
        by * none

# give read access to one's entry to himself only
access to dn.regex="^uid=([^,]+)ou=People,dc=example,dc=com$$"
        by self read
        by dn.exact="uid=Admin,ou=People,dc=example,dc=com" write
        by anonymous auth
        by * none

access to dn.subtree="ou=People,dc=example,dc=com"
        by dn.exact="uid=Admin,ou=People,dc=example,dc=com" write
        by anonymous read
        by * read

access to dn.subtree="ou=Groups,dc=example,dc=com"
        by dn.exact="cn=Admin,ou=People,dc=example,dc=com" write
        by anonymous read
        by * read

access to dn.exact="ou=People,dc=example,dc=com"
        by anonymous read
        by * read

access to dn.exact="dc=example,dc=com"
        by anonymous read
        by * read

access to *
        by anonymous read
        by * read

HTH

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.