Discussion:
Openldap - ldap user can't add entry: Insufficient access (no write access to parent)
(too old to reply)
Ervin Hegedüs
2015-10-18 08:40:48 UTC
Permalink
Content preview: Hello, (I'm not an LDAP guru - sorry for lame question(s))
I'ld like to make an addressbook in LDAP (for mailing clients, in first step
for my RoundCube). Server is Debian 7.9, slapd 2.4.31 (OpenLDAP). After the
successfully installation, I've created a subtree for the addressbook: [...]


Content analysis details: (-2.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(airween[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

Hello,

(I'm not an LDAP guru - sorry for lame question(s))

I'ld like to make an addressbook in LDAP (for mailing clients, in
first step for my RoundCube). Server is Debian 7.9, slapd 2.4.31
(OpenLDAP). After the successfully installation, I've created a
subtree for the addressbook:

dn: ou=rcabook,dc=mydomain,dc=com
ou: rcabook
objectClass: top
objectClass: organizationalUnit

dn: ou=public,ou=rcabook,dc=mydomain,dc=com
ou: public
objectClass: top
objectClass: organizationalUnit

dn: ou=private,ou=rcabook,dc=mydomain,dc=com
ou: private
objectClass: top
objectClass: organizationalUnit

and a regular user for RoundCube:

dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com
cn: rcuser
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1f2g3....x3y2z1

But when I want to make a new entry as rcuser, I've got this
error:

ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W
Enter LDAP Password:
adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com"
ldap_add: Insufficient access (50)
additional info: no write access to parent

The ou=public,ou=rcabook subtree has a special access in config:

# slapcat -n0
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
e
olcLastMod: TRUE
...

Which privileges do I need to add, for all user would add the
entries to subtree?

Thanks,

a.
--
I � UTF-8
Abdelhamid Meddeb
2015-10-22 08:15:05 UTC
Permalink
Hi,

According:
http://www.openldap.org/lists/openldap-technical/201509/msg00133.html

The {3} rule is never used because {2} match everythink (to * by *
read). nobody has write privilege except rootdn
(cn=admin,dc=mydomain,dc=com) who, by the way, does not need an explicit
configuration for that.

Cheers.
Post by Ervin Hegedüs
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
e
olcLastMod: TRUE
...
Which privileges do I need to add, for all user would add the
entries to subtree?
Thanks,
a.
--
*Abdelhamid Meddeb*
http://www.meddeb.net
Loading...