[ILUG] openldap ACL woes

[Bernhard Rohrer]

Hi Guys

I am struggling with my ACL 

I am trying to add an entry to my addressbook and am getting a permission denied error with the log showing this:

Apr 15 22:56:37 collab slapd[4243]: conn=7 op=0 BIND 
dn="uid=graylion,ou=users,dc=graylion,dc=net" method=128
Apr 15 22:56:37 collab slapd[4243]: conn=7 op=0 BIND 
dn="uid=graylion,ou=users,dc=graylion,dc=net" mech=SIMPLE ssf=0
Apr 15 22:56:37 collab slapd[4243]: conn=7 op=0 RESULT tag=97 err=0 text=
Apr 15 22:56:37 collab slapd[4243]: conn=7 op=1 SRCH 
base="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" scope=0 
deref=0 filter="(objectClass=*)"
Apr 15 22:56:37 collab slapd[4243]: conn=7 op=1 ENTRY 
dn="cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net"
Apr 15 22:56:37 collab slapd[4243]: conn=7 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Apr 15 22:56:37 collab slapd[4243]: conn=7 op=2 ADD 
dn="uid=6b64867845662ba2624a367c8023367f,cn=graylion,ou=personal,ou=contacts,dc=graylion,dc=net" 

Apr 15 22:56:37 collab slapd[4243]: conn=7 op=2 RESULT tag=105 err=50 
text=no write access to parent

the relevant piece of ACL reads:

# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
      attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha
      by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
      by dn.regex="cn=admin,dc=graylion,dc=net" read
      by users none


# ... and the entries CHILDREN
#access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
      attrs=children
      by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
      by dn.regex="cn=admin,dc=graylion,dc=net" read
      by users none

this all looks right to me, so Hjaelp!

thanks

Bernhard