Openldap - ldap user can't add entry: Insufficient access (no write access to parent)

permissions ldap openldap

I'ld like to make an addressbook in LDAP (for mailing clients, in first step for my RoundCube). Server is Debian 7.9, slapd 2.4.31 (OpenLDAP). After the successfully installation, I've created a subtree for the addressbook:

dn: ou=rcabook,dc=mydomain,dc=com
ou: rcabook
objectClass: top
objectClass: organizationalUnit

dn: ou=public,ou=rcabook,dc=mydomain,dc=com
ou: public
objectClass: top
objectClass: organizationalUnit

dn: ou=private,ou=rcabook,dc=mydomain,dc=com
ou: private
objectClass: top
objectClass: organizationalUnit

and a regular user for RoundCube:

dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com
cn: rcuser
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1f2g3....x3y2z1

But when I want to make a new entry as rcuser, I've got this error:

ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W
Enter LDAP Password: 
adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com"
ldap_add: Insufficient access (50)
    additional info: no write access to parent

The ou=public,ou=rcabook subtree has a special access in config:

# slapcat -n0
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
 e
olcLastMod: TRUE
...

Which privileges do I need to add, for all user would add the entries to subtree?

Thanks,

a.


Solution 1:

From OpenLDAP ACL documentation:

To add or delete an entry, the subject must have write access to 
the entry's entry attribute AND must have write access to the 
entry's parent's children attribute.

So you need to grant access to the entry and children pseudo attributes:

olcAccess: {3}to dn.entry="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write
olcAccess: {4}to dn.children="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write

Related

Printing from a windows service in one domain to a print server in another windows domains without trust
How to bind a range of ips to ubuntu interfaces
How to downgrade or install a specific version of Composer?
Removing unwanted table cell borders with CSS
Python: Figure out local timezone
How to end a session in ExpressJS
Received an invalid column length from the bcp client for colid 6
scp from Linux to Windows [closed]
PowerShell's Clear-History doesn't clear history
Deleting queues in RabbitMQ
`Apache` `localhost/~username/` not working
How to require that a protocol can only be adopted by a specific class