[Fedora-directory-users] ACIs Don't Work?

Glenn glenn at mail.txwes.edu
Wed Dec 5 16:07:00 UTC 2007 

---------- Original Message -----------
From: Rich Megginson <rmeggins at redhat.com>
To: "General discussion list for the Fedora Directory server project." 
<fedora-directory-users at redhat.com>
Sent: Wed, 05 Dec 2007 08:18:53 -0700
Subject: Re: [Fedora-directory-users] ACIs Don't Work?

> Glenn wrote:
> > I'm trying to establish an ACI for directory administrators in Fedora 
> > Directory 1.0.3.  In the directory console, I right-click the OU and 
> > select "Set Access Permissions".  I visit each tab in the visual editor 
and 
> > enter the correct users, rights, targets, hosts and times.  After saving, 
the 
> > OU shows one ACI.  Then I log in to the web-based Directory Server 
Gateway as 
> > one of the users specified in the ACI, but I am unable to edit another 
user's 
> > directory attributes.  The error message is:
> >
> > "An error occurred while contacting the LDAP server.
> > (Insufficient access - Insufficient 'write' privilege to the 'roomNumber' 
> > attribute of entry 'uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu'. )
> >
> > You do not have sufficient privileges to perform the operation."
> >
> > I checked all the inherited ACIs on the OU, and no rights are denied.  
What 
> > else should I look at?  Thanks.   -Glenn.
> >   
> It would be very helpful if you could post the acis you have:
> ldapsearch -x -D "cn=directory manager" -w password -s sub -b 
> "dc=your, dc=suffix" "aci=*" aci
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
------- End of Original Message -------

Rich - I'm posting the acis below.  I tried to remove extra carriage returns 
for readability.  Thanks.   -Glenn.

# extended LDIF
#
# LDAPv3
# base <dc=txwes,dc=edu> with scope sub
# filter: aci=*
# requesting: aci
#
# txwes.edu
dn: dc=txwes,dc=edu
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
 allow (read, search, compare)userdn="ldap:///anyone";)
aci: (targetattr="carLicense ||description ||displayName 
||facsimileTelephoneNumber ||homePhone ||homePostalAddress||initials 
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox 
||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage 
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st||street 
||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword 
||userSMIMECertificate||x500UniqueIdentifier")(version 3.0; acl "Enable self 
write for common attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow 
(all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement, 
o=NetscapeRoot";)
aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators 
Group";allow (all) (groupdn = "ldap:///cn=Configuration Administrators, 
ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators, dc=txwes,dc=edu");)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn 
= "ldap:///cn=slapd-sibelius, cn=Fedora Directory Server, cn=Server Group, 
cn=sibelius.txwes.edu, ou=txwes.edu, o=NetscapeRoot";)
# People, txwes.edu
dn: ou=People,dc=txwes,dc=edu
aci: (targetattr = "*") (target = "ldap:///ou=People,dc=txwes,dc=edu") 
(version 3.0;acl "ICT Admin";allow (all)(userdn 
= "ldap:///uid=breese,ou=Main,ou=People,dc=txwes,dc=edu" or userdn 
= "ldap:///uid=rboone,ou=Main,ou=People,dc=txwes,dc=edu" or userdn 
= "ldap:///uid=cchiles,ou=Main,ou=People,dc=txwes,dc=edu" or userdn 
= "ldap:///uid=pirwinsky,ou=Main,ou=People,dc=txwes,dc=edu" or userdn 
= "ldap:///uid=sserrano,ou=Main,ou=People,dc=txwes,dc=edu") and 
(ip="10.100.2.*" or ip="10.100.2.21");)
# Law, People, txwes.edu
dn: ou=Law,ou=People,dc=txwes,dc=edu
aci: (targetattr = "*") (version 3.0;acl "ICT-Law Admin";allow (all)(userdn 
= "ldap:///uid=BDaniel,ou=Law,ou=People,dc=txwes,dc=edu" or userdn 
= "ldap:///uid=jseifert,ou=Law,ou=People,dc=txwes,dc=edu" or user dn 
= "ldap:///uid=gmcguire,ou=Law,ou=People,dc=txwes,dc=edu") and 
(ip="192.168.168.*" or ip="10.100.8.*" or ip="10.100.9.*" or ip="10.100.10.*" 
or ip="10.100.11.*" or ip="192.168.10.*" or ip="192.168.20.*" or 
ip="192.168.30.*");)
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3

More information about the Fedora-directory-users mailing list