Openldap - ldap user can't add entry: Insufficient access (no write access to parent)

I'ld like to make an addressbook in LDAP (for mailing clients, in first step for my RoundCube). Server is Debian 7.9, slapd 2.4.31 (OpenLDAP). After the successfully installation, I've created a subtree for the addressbook:

dn: ou=rcabook,dc=mydomain,dc=com
ou: rcabook
objectClass: top
objectClass: organizationalUnit

dn: ou=public,ou=rcabook,dc=mydomain,dc=com
ou: public
objectClass: top
objectClass: organizationalUnit

dn: ou=private,ou=rcabook,dc=mydomain,dc=com
ou: private
objectClass: top
objectClass: organizationalUnit

and a regular user for RoundCube:

dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com
cn: rcuser
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1f2g3....x3y2z1

But when I want to make a new entry as rcuser, I've got this error:

ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W
Enter LDAP Password: 
adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com"
ldap_add: Insufficient access (50)
    additional info: no write access to parent

The ou=public,ou=rcabook subtree has a special access in config:

# slapcat -n0
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
 e
olcLastMod: TRUE
...

Which privileges do I need to add, for all user would add the entries to subtree?

Thanks,

a.


Solution 1:

From OpenLDAP ACL documentation:

To add or delete an entry, the subject must have write access to 
the entry's entry attribute AND must have write access to the 
entry's parent's children attribute.

So you need to grant access to the entry and children pseudo attributes:

olcAccess: {3}to dn.entry="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write
olcAccess: {4}to dn.children="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write