[Fedora-directory-users] ACIs Don't Work?

Glenn glenn at mail.txwes.edu
Wed Dec 12 16:17:13 UTC 2007 

Anyone got a clue?  Thanks.   -Glenn.

---------- Original Message -----------
From: "Glenn" <glenn at mail.txwes.edu>
To: "General discussion list for the Fedora Directory server project." 
<fedora-directory-users at redhat.com>
Sent: Wed, 5 Dec 2007 11:07:00 -0500
Subject: Re: [Fedora-directory-users] ACIs Don't Work?

> ---------- Original Message -----------
> From: Rich Megginson <rmeggins at redhat.com>
> To: "General discussion list for the Fedora Directory server 
> project." <fedora-directory-users at redhat.com>
> Sent: Wed, 05 Dec 2007 08:18:53 -0700 Subject: Re: [Fedora-directory-
> users] ACIs Don't Work?
> 
> > Glenn wrote:
> > > I'm trying to establish an ACI for directory administrators in Fedora 
> > > Directory 1.0.3.  In the directory console, I right-click the OU and 
> > > select "Set Access Permissions".  I visit each tab in the visual editor 
> and 
> > > enter the correct users, rights, targets, hosts and times.  After 
saving, 
> the 
> > > OU shows one ACI.  Then I log in to the web-based Directory Server 
> Gateway as 
> > > one of the users specified in the ACI, but I am unable to edit another 
> user's 
> > > directory attributes.  The error message is:
> > >
> > > "An error occurred while contacting the LDAP server.
> > > (Insufficient access - Insufficient 'write' privilege to 
the 'roomNumber' 
> > > attribute of entry 'uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu'. )
> > >
> > > You do not have sufficient privileges to perform the operation."
> > >
> > > I checked all the inherited ACIs on the OU, and no rights are denied.  
> What 
> > > else should I look at?  Thanks.   -Glenn.
> > >   
> > It would be very helpful if you could post the acis you have:
> > ldapsearch -x -D "cn=directory manager" -w password -s sub -b 
> > "dc=your, dc=suffix" "aci=*" aci
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> ------- End of Original Message -------
> 
> Rich - I'm posting the acis below.  I tried to remove extra carriage 
> returns for readability.  Thanks.   -Glenn.
> 
> # extended LDIF
> #
> # LDAPv3
> # base <dc=txwes,dc=edu> with scope sub
> # filter: aci=*
> # requesting: aci
> #
> # txwes.edu
> dn: dc=txwes,dc=edu
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous 
> access"; allow (read, search, compare)userdn="ldap:///anyone";) aci: 
> (targetattr="carLicense ||description ||displayName 
> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress||initials 
> ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo 
> ||postOfficeBox ||postalAddress ||postalCode 
> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress 
> ||roomNumber ||secretary ||seeAlso ||st||street ||telephoneNumber 
> ||telexNumber ||title ||userCertificate ||userPassword 
> ||userSMIMECertificate||x500UniqueIdentifier")(version 3.0; acl 
> "Enable self write for common attributes"; allow (write) 
> userdn="ldap:///self";) aci: (targetattr="*")(version 3.0; acl 
> "Configuration Administrator"; allow 
> (all) userdn="ldap:///uid=admin,ou=Administrators,
> ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr ="*")
> (version 3.0;acl "Configuration Administrators Group";allow (all)
>  (groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, 
> ou=TopologyManagement, o=NetscapeRoot");) aci: (targetattr ="*")
> (version 3.0;acl "Directory Administrators Group";allow
> (all) (groupdn = "ldap:///cn=Directory Administrators, dc=txwes,
> dc=edu");) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; 
> allow (all)groupdn = "ldap:///cn=slapd-sibelius, cn=Fedora Directory 
> Server, cn=Server Group, cn=sibelius.txwes.edu, ou=txwes.edu,
>  o=NetscapeRoot";)
> # People, txwes.edu
> dn: ou=People,dc=txwes,dc=edu
> aci: (targetattr = "*") (target = "ldap:///ou=People,dc=txwes,
> dc=edu") 
> (version 3.0;acl "ICT Admin";allow (all)(userdn = 
> "ldap:///uid=breese,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = 
> "ldap:///uid=rboone,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = 
> "ldap:///uid=cchiles,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = 
> "ldap:///uid=pirwinsky,ou=Main,ou=People,dc=txwes,dc=edu" or userdn 
> = "ldap:///uid=sserrano,ou=Main,ou=People,dc=txwes,dc=edu") and 
> (ip="10.100.2.*" or ip="10.100.2.21");)
> # Law, People, txwes.edu
> dn: ou=Law,ou=People,dc=txwes,dc=edu
> aci: (targetattr = "*") (version 3.0;acl "ICT-Law Admin";allow (all)
> (userdn = "ldap:///uid=BDaniel,ou=Law,ou=People,dc=txwes,dc=edu" or 
> userdn = "ldap:///uid=jseifert,ou=Law,ou=People,dc=txwes,dc=edu" or 
> user dn = "ldap:///uid=gmcguire,ou=Law,ou=People,dc=txwes,dc=edu") 
> and 
> (ip="192.168.168.*" or ip="10.100.8.*" or ip="10.100.9.*" or 
> ip="10.100.10.*" or ip="10.100.11.*" or ip="192.168.10.*" or 
> ip="192.168.20.*" or ip="192.168.30.*");)
> # search result
> search: 2
> result: 0 Success
> # numResponses: 4
> # numEntries: 3
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
------- End of Original Message -------

More information about the Fedora-directory-users mailing list