I have an issue with the ACL configuration of an LDAP server (slapd). The following ACL entry is active as the first rule that applies:
{0}to dn.subtree="ou=some,ou=where,ou=beneath,dc=the,dc=rain,dc=bow" attrs=entry,children by users write
Now the strange thing that happens is that given that rule I can add an entry to the respective DN but if I want to modify it with the very same user, then I get
0x32 (LDAP_INSUFFICIENT_ACCESS)
Can someone give me a hint what the problem could be?
If you want to allow the modification of the whole entry, you need to remove the attrs= option completely.
I think your'e misunderstanding what the attrs=entry does. It doesnt let you modify the whole entry. The entry attribute only grants permission to the entry itself (not its attribtes), which basically only allows you to delete it. The children attribute is what is letting you create new children under that entry. But as soon as the child is created, you cant modify it because it falls under the dn.subtree match, and your ACL forbids modification of anything other than deleting the entry and creating children.
From http://www.openldap.org/doc/admin24/access-control.html:
There are two special pseudo attributes entry and children. To read (and hence return) a target entry, the subject must have read access to the target's entry attribute. To perform a search, the subject must have search access to the search base's entry attribute. To add or delete an entry, the subject must have write access to the entry's entry attribute AND must have write access to the entry's parent's children attribute. To rename an entry, the subject must have write access to entry's entry attribute AND have write access to both the old parent's and new parent's children attributes. The complete examples at the end of this section should help clear things up.
As mentioned, the solution is to remove the attrs option. This makes the ACL default to everything, so when you specify write, it lets you write to everything on that entry.
