[Fedora-directory-users] Re: Does userattr="parent[1].attribute#LDAPURL" work ?
François Beretti
francois.beretti at gmail.com
Mon Sep 25 08:53:33 UTC 2006
Hi again,
since my first post may be complex, I made a much simpler sample, with
standard objects.
I created a root suffix 'o=bug'
with two ACI:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="parent[1].description#LDAPURL";)
Then I added a user, uid=testuser,o=bug
Then, an organizationalUnit, ou=testparentobject,o=bug
with the description: ldap:///o=bug??sub?(uid=testuser)
According the ACIs, testuser dhould be able to modify ou=testparentobject
and to create child objects under it.
But he only can modify it.
I don't find where I made a mistake.
I join you my LDIF files and LDAP commands.
Thank you for your help
François
Here are the LDIF files :
---------- o=bug dump -------
dn: o=bug
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access";
allow (read, search, compare)userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
="parent[1].description#LDAPURL";)
o: bug
objectClass: top
objectClass: organization
dn: uid=testuser,o=bug
uid: testuser
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword: toto
dn: ou=testparentobject,o=bug
ou: testparentobject
description: ldap:///o=bug??sub?(uid=testuser)
objectClass: top
objectClass: organizationalunit
--------- modification command ----------
$ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif
modifying entry "ou=testparentobject,o=bug"
$
--------- creation command -----------
$ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif
adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
ldap_add: Insufficient access (50)
additional info: Insufficient 'add' privilege to add the entry
'ou=testchildobject,ou=testparentobject,o=bug'.
$
---------- modification LDIF file ----------------
dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789
---------- creation LDIF file --------------
dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060925/03b755c9/attachment.htm>
More information about the Fedora-directory-users
mailing list