I''m trying to establish an ACI for directory administrators in Fedora Directory 1.0.3. In the directory console, I right-click the OU and select "Set Access Permissions". I visit each tab in the visual editor and enter the correct users, rights, targets, hosts and times. After saving, the OU shows one ACI. Then I log in to the web-based Directory Server Gateway as one of the users specified in the ACI, but I am unable to edit another user''s directory attributes. The error message is: "An error occurred while contacting the LDAP server. (Insufficient access - Insufficient ''write'' privilege to the ''roomNumber'' attribute of entry ''uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu''. ) You do not have sufficient privileges to perform the operation." I checked all the inherited ACIs on the OU, and no rights are denied. What else should I look at? Thanks. -Glenn.
Glenn wrote:> I''m trying to establish an ACI for directory administrators in Fedora > Directory 1.0.3. In the directory console, I right-click the OU and > select "Set Access Permissions". I visit each tab in the visual editor and > enter the correct users, rights, targets, hosts and times. After saving, the > OU shows one ACI. Then I log in to the web-based Directory Server Gateway as > one of the users specified in the ACI, but I am unable to edit another user''s > directory attributes. The error message is: > > "An error occurred while contacting the LDAP server. > (Insufficient access - Insufficient ''write'' privilege to the ''roomNumber'' > attribute of entry ''uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu''. ) > > You do not have sufficient privileges to perform the operation." > > I checked all the inherited ACIs on the OU, and no rights are denied. What > else should I look at? Thanks. -Glenn. >It would be very helpful if you could post the acis you have: ldapsearch -x -D "cn=directory manager" -w password -s sub -b "dc=your, dc=suffix" "aci=*" aci> -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
---------- Original Message ----------- From: Rich Megginson <rmeggins@redhat.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Wed, 05 Dec 2007 08:18:53 -0700 Subject: Re: [Fedora-directory-users] ACIs Don''t Work?> Glenn wrote: > > I''m trying to establish an ACI for directory administrators in Fedora > > Directory 1.0.3. In the directory console, I right-click the OU and > > select "Set Access Permissions". I visit each tab in the visual editorand> > enter the correct users, rights, targets, hosts and times. After saving,the> > OU shows one ACI. Then I log in to the web-based Directory ServerGateway as> > one of the users specified in the ACI, but I am unable to edit anotheruser''s> > directory attributes. The error message is: > > > > "An error occurred while contacting the LDAP server. > > (Insufficient access - Insufficient ''write'' privilege to the ''roomNumber'' > > attribute of entry ''uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu''. ) > > > > You do not have sufficient privileges to perform the operation." > > > > I checked all the inherited ACIs on the OU, and no rights are denied.What> > else should I look at? Thanks. -Glenn. > > > It would be very helpful if you could post the acis you have: > ldapsearch -x -D "cn=directory manager" -w password -s sub -b > "dc=your, dc=suffix" "aci=*" aci > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >------- End of Original Message ------- Rich - I''m posting the acis below. I tried to remove extra carriage returns for readability. Thanks. -Glenn. # extended LDIF # # LDAPv3 # base <dc=txwes,dc=edu> with scope sub # filter: aci=* # requesting: aci # # txwes.edu dn: dc=txwes,dc=edu aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators Group";allow (all) (groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot");) aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=txwes,dc=edu");) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ldap:///cn=slapd-sibelius, cn=Fedora Directory Server, cn=Server Group, cn=sibelius.txwes.edu, ou=txwes.edu, o=NetscapeRoot";) # People, txwes.edu dn: ou=People,dc=txwes,dc=edu aci: (targetattr = "*") (target = "ldap:///ou=People,dc=txwes,dc=edu") (version 3.0;acl "ICT Admin";allow (all)(userdn = "ldap:///uid=breese,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = "ldap:///uid=rboone,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = "ldap:///uid=cchiles,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = "ldap:///uid=pirwinsky,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = "ldap:///uid=sserrano,ou=Main,ou=People,dc=txwes,dc=edu") and (ip="10.100.2.*" or ip="10.100.2.21");) # Law, People, txwes.edu dn: ou=Law,ou=People,dc=txwes,dc=edu aci: (targetattr = "*") (version 3.0;acl "ICT-Law Admin";allow (all)(userdn = "ldap:///uid=BDaniel,ou=Law,ou=People,dc=txwes,dc=edu" or userdn = "ldap:///uid=jseifert,ou=Law,ou=People,dc=txwes,dc=edu" or user dn = "ldap:///uid=gmcguire,ou=Law,ou=People,dc=txwes,dc=edu") and (ip="192.168.168.*" or ip="10.100.8.*" or ip="10.100.9.*" or ip="10.100.10.*" or ip="10.100.11.*" or ip="192.168.10.*" or ip="192.168.20.*" or ip="192.168.30.*");) # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3
Anyone got a clue? Thanks. -Glenn. ---------- Original Message ----------- From: "Glenn" <glenn@mail.txwes.edu> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Wed, 5 Dec 2007 11:07:00 -0500 Subject: Re: [Fedora-directory-users] ACIs Don''t Work?> ---------- Original Message ----------- > From: Rich Megginson <rmeggins@redhat.com> > To: "General discussion list for the Fedora Directory server > project." <fedora-directory-users@redhat.com> > Sent: Wed, 05 Dec 2007 08:18:53 -0700 Subject: Re: [Fedora-directory- > users] ACIs Don''t Work? > > > Glenn wrote: > > > I''m trying to establish an ACI for directory administrators in Fedora > > > Directory 1.0.3. In the directory console, I right-click the OU and > > > select "Set Access Permissions". I visit each tab in the visual editor > and > > > enter the correct users, rights, targets, hosts and times. Aftersaving,> the > > > OU shows one ACI. Then I log in to the web-based Directory Server > Gateway as > > > one of the users specified in the ACI, but I am unable to edit another > user''s > > > directory attributes. The error message is: > > > > > > "An error occurred while contacting the LDAP server. > > > (Insufficient access - Insufficient ''write'' privilege tothe ''roomNumber''> > > attribute of entry ''uid=tsmith,ou=main,ou=people,dc=txwes,dc=edu''. ) > > > > > > You do not have sufficient privileges to perform the operation." > > > > > > I checked all the inherited ACIs on the OU, and no rights are denied. > What > > > else should I look at? Thanks. -Glenn. > > > > > It would be very helpful if you could post the acis you have: > > ldapsearch -x -D "cn=directory manager" -w password -s sub -b > > "dc=your, dc=suffix" "aci=*" aci > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------- End of Original Message ------- > > Rich - I''m posting the acis below. I tried to remove extra carriage > returns for readability. Thanks. -Glenn. > > # extended LDIF > # > # LDAPv3 > # base <dc=txwes,dc=edu> with scope sub > # filter: aci=* > # requesting: aci > # > # txwes.edu > dn: dc=txwes,dc=edu > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous > access"; allow (read, search, compare)userdn="ldap:///anyone";) aci: > (targetattr="carLicense ||description ||displayName > ||facsimileTelephoneNumber ||homePhone ||homePostalAddress||initials > ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > ||postOfficeBox ||postalAddress ||postalCode > ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress > ||roomNumber ||secretary ||seeAlso ||st||street ||telephoneNumber > ||telexNumber ||title ||userCertificate ||userPassword > ||userSMIMECertificate||x500UniqueIdentifier")(version 3.0; acl > "Enable self write for common attributes"; allow (write) > userdn="ldap:///self";) aci: (targetattr="*")(version 3.0; acl > "Configuration Administrator"; allow > (all) userdn="ldap:///uid=admin,ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr ="*") > (version 3.0;acl "Configuration Administrators Group";allow (all) > (groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, > ou=TopologyManagement, o=NetscapeRoot");) aci: (targetattr ="*") > (version 3.0;acl "Directory Administrators Group";allow > (all) (groupdn = "ldap:///cn=Directory Administrators, dc=txwes, > dc=edu");) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; > allow (all)groupdn = "ldap:///cn=slapd-sibelius, cn=Fedora Directory > Server, cn=Server Group, cn=sibelius.txwes.edu, ou=txwes.edu, > o=NetscapeRoot";) > # People, txwes.edu > dn: ou=People,dc=txwes,dc=edu > aci: (targetattr = "*") (target = "ldap:///ou=People,dc=txwes, > dc=edu") > (version 3.0;acl "ICT Admin";allow (all)(userdn = > "ldap:///uid=breese,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = > "ldap:///uid=rboone,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = > "ldap:///uid=cchiles,ou=Main,ou=People,dc=txwes,dc=edu" or userdn = > "ldap:///uid=pirwinsky,ou=Main,ou=People,dc=txwes,dc=edu" or userdn > = "ldap:///uid=sserrano,ou=Main,ou=People,dc=txwes,dc=edu") and > (ip="10.100.2.*" or ip="10.100.2.21");) > # Law, People, txwes.edu > dn: ou=Law,ou=People,dc=txwes,dc=edu > aci: (targetattr = "*") (version 3.0;acl "ICT-Law Admin";allow (all) > (userdn = "ldap:///uid=BDaniel,ou=Law,ou=People,dc=txwes,dc=edu" or > userdn = "ldap:///uid=jseifert,ou=Law,ou=People,dc=txwes,dc=edu" or > user dn = "ldap:///uid=gmcguire,ou=Law,ou=People,dc=txwes,dc=edu") > and > (ip="192.168.168.*" or ip="10.100.8.*" or ip="10.100.9.*" or > ip="10.100.10.*" or ip="10.100.11.*" or ip="192.168.10.*" or > ip="192.168.20.*" or ip="192.168.30.*");) > # search result > search: 2 > result: 0 Success > # numResponses: 4 > # numEntries: 3 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message -------