[Fedora-directory-users] ACIs Don't Work?
Glenn
glenn at mail.txwes.edu
Wed Dec 5 16:07:00 UTC 2007
---------- Original Message -----------
From: Rich Megginson <rmeggins at redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Sent: Wed, 05 Dec 2007 08:18:53 -0700
Subject: Re: [Fedora-directory-users] ACIs Don't Work?
> Glenn wrote:
> > I'm trying to establish an ACI for directory administrators in Fedora
> > Directory 1.0.3. In the directory console, I right-click the OU and
> > select "Set Access Permissions". I visit each tab in the visual editor
and
> > enter the correct users, rights, targets, hosts and times. After saving,
the
> > OU shows one ACI. Then I log in to the web-based Directory Server
Gateway as
> > one of the users specified in the ACI, but I am unable to edit another
user's
> > directory attributes. The error message is:
> >
> > "An error occurred while contacting the LDAP server.
> > (Insufficient access - Insufficient 'write' privilege to the 'roomNumber'
> > attribute of entry 'uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu'. )
> >
> > You do not have sufficient privileges to perform the operation."
> >
> > I checked all the inherited ACIs on the OU, and no rights are denied.
What
> > else should I look at? Thanks. -Glenn.
> >
> It would be very helpful if you could post the acis you have:
> ldapsearch -x -D "cn=directory manager" -w password -s sub -b
> "dc=your, dc=suffix" "aci=*" aci
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
------- End of Original Message -------
Rich - I'm posting the acis below. I tried to remove extra carriage returns
for readability. Thanks. -Glenn.
# extended LDIF
#
# LDAPv3
# base <dc=txwes,dc=edu> with scope sub
# filter: aci=*
# requesting: aci
#
# txwes.edu
dn: dc=txwes,dc=edu
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
allow (read, search, compare)userdn="ldap:///anyone";)
aci: (targetattr="carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox
||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st||street
||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword
||userSMIMECertificate||x500UniqueIdentifier")(version 3.0; acl "Enable self
write for common attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow
(all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,
o=NetscapeRoot";)
aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators
Group";allow (all) (groupdn = "ldap:///cn=Configuration Administrators,
ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators, dc=txwes,dc=edu");)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn
= "ldap:///cn=slapd-sibelius, cn=Fedora Directory Server, cn=Server Group,
cn=sibelius.txwes.edu, ou=txwes.edu, o=NetscapeRoot";)
# People, txwes.edu
dn: ou=People,dc=txwes,dc=edu
aci: (targetattr = "*") (target = "ldap:///ou=People,dc=txwes,dc=edu")
(version 3.0;acl "ICT Admin";allow (all)(userdn
= "ldap:///uid=breese,ou=Main,ou=People,dc=txwes,dc=edu" or userdn
= "ldap:///uid=rboone,ou=Main,ou=People,dc=txwes,dc=edu" or userdn
= "ldap:///uid=cchiles,ou=Main,ou=People,dc=txwes,dc=edu" or userdn
= "ldap:///uid=pirwinsky,ou=Main,ou=People,dc=txwes,dc=edu" or userdn
= "ldap:///uid=sserrano,ou=Main,ou=People,dc=txwes,dc=edu") and
(ip="10.100.2.*" or ip="10.100.2.21");)
# Law, People, txwes.edu
dn: ou=Law,ou=People,dc=txwes,dc=edu
aci: (targetattr = "*") (version 3.0;acl "ICT-Law Admin";allow (all)(userdn
= "ldap:///uid=BDaniel,ou=Law,ou=People,dc=txwes,dc=edu" or userdn
= "ldap:///uid=jseifert,ou=Law,ou=People,dc=txwes,dc=edu" or user dn
= "ldap:///uid=gmcguire,ou=Law,ou=People,dc=txwes,dc=edu") and
(ip="192.168.168.*" or ip="10.100.8.*" or ip="10.100.9.*" or ip="10.100.10.*"
or ip="10.100.11.*" or ip="192.168.10.*" or ip="192.168.20.*" or
ip="192.168.30.*");)
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
More information about the Fedora-directory-users
mailing list