Thanks so much!
Now I'm looking in
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see
what I might do to fix things.
Here is the output from the commands you suggested. At least I can tell one
is bigger than the other :)
ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot
"aci=*" aci
# extended LDIF
#
# LDAPv3
# base <o=netscaperoot> with scope subtree
# filter: aci=*
# requesting: aci
#
# NetscapeRoot
dn: o=NetscapeRoot
aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator
Gro
up modification"; allow (all) groupdn="ldap:///cn=Configuration
Administrator
s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl
"Default
anonymous access"; allow (read, search) userdn="ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion";
allow
(read,
search, compare) groupdnattr="uniquemember";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow
(all)
gr
oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Grou
p,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot";)
# TopologyManagement, NetscapeRoot
dn: ou=TopologyManagement, o=NetscapeRoot
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare)userdn="ldap:///anyone";)
# Global Preferences,
hymesruzicka.org, NetscapeRoot
dn: ou=Global Preferences,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
allow(read,sea
rch) userdn="ldap:///anyone";)
# UserPreferences,
hymesruzicka.org, NetscapeRoot
dn: ou=UserPreferences,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow saving of User
Preferences";
a
llow (add) userdn = "ldap:///all";)
# uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3DNetsca
peRoot, UserPreferences,
hymesruzicka.org, NetscapeRoot
dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot",o
u=UserPreferences,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
cn\3DServer
Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
o\3DNets
capeRoot, UserPreferences,
hymesruzicka.org, NetscapeRoot
dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
Grou
p,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserP
references,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# Server Group,
trixter.hymesruzicka.org,
hymesruzicka.org, NetscapeRoot
dn: cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=Netsc
apeRoot
aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable
de
legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server
Gro
up,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrati
on Server, cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=NetscapeRoot";)
# PublicViews, 1.1, Admin, Global Preferences,
hymesruzicka.org,
NetscapeRoot
dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
ou=hymesruzicka.o
rg, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to
Save
Pu
blic Views"; allow (all) userdn = "ldap:///all";)
# slapd-trixter, Fedora Directory Server, Server Group,
trixter.hymesruzicka.
org,
hymesruzicka.org, NetscapeRoot
dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trixter.
hymesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory
Server
, cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=Netsca
peRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter,
cn=Fedora
Directory Server, cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzic
ka.org, o=NetscapeRoot";)
# configuration, slapd-trixter, Fedora Directory Server, Server Group,
trixte
r.hymesruzicka.org,
hymesruzicka.org, NetscapeRoot
dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
G
roup,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Gr
oup,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot";)
# cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C
cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot,
UserPreferences,
hymesruzicka.org, NetscapeRoot
dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org,
ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserPreferences
,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# cn\3DDirectory Manager, UserPreferences,
hymesruzicka.org, NetscapeRoot
dn: ou="cn=Directory Manager",ou=UserPreferences,
ou=hymesruzicka.org,
o=Netsc
apeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# Fedora Administration Server, Server Group,
trixter.hymesruzicka.org,
hymes
ruzicka.org, NetscapeRoot
dn: cn=Fedora Administration Server, cn=Server Group,
cn=trixter.hymesruzicka.
org,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable
dele
gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora
Admin
istration Server, cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzic
ka.org, o=NetscapeRoot";)
# admin-serv-trixter, Fedora Administration Server, Server Group,
trixter.hym
esruzicka.org,
hymesruzicka.org, NetscapeRoot
dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group,
c
n=trixter.hymesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrat
ion Server, cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org
, o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter,
cn=Fe
dora Administration Server, cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=
hymesruzicka.org, o=NetscapeRoot";)
# configuration, admin-serv-trixter, Fedora Administration Server, Server
Gro
up,
trixter.hymesruzicka.org,
hymesruzicka.org, NetscapeRoot
dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
Server,
cn=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=Netscape
Root
aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
configu
ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
cn=trixter.hy
mesruzicka.org,
ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server,
cn
=Server Group,
cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=NetscapeRo
ot";)
# uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3Dnets
capeRoot, UserPreferences,
hymesruzicka.org, NetscapeRoot
dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
o=netscapeRoot"
,ou=UserPreferences,
ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
"dc=hymesruzicka,dc=org" "aci=*" aci
# extended LDIF
#
# LDAPv3
# base <dc=hymesruzicka,dc=org> with scope subtree
# filter: aci=*
# requesting: aci
#
#
hymesruzicka.org
dn: dc=hymesruzicka, dc=org
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense || description || displayName ||
facsimileTelepho
neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
labele
dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
||
postalCode || preferredDeliveryMethod || preferredLanguage ||
registeredAddr
ess || roomNumber || secretary || seeAlso || st || street ||
telephoneNumber
|| telexNumber || title || userCertificate || userPassword ||
userSMIMECertif
icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for
commo
n attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka,
dc=or
g");)
# People,
hymesruzicka.org
dn: ou=People, dc=hymesruzicka, dc=org
aci: (targetattr ="userpassword || telephonenumber ||
facsimiletelephonenumber
")(version 3.0;acl "Allow self entry modification";allow (write)(userdn =
"ld
ap:///self");)
aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Accounting)")(version
3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn =
"lda
p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
Resources)")(ve
rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn =
"ldap:///cn=HR
M
anagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product
Testing)")(ver
sion 3.0;acl "QA Group Permissions";allow (write)(groupdn =
"ldap:///cn=QA
Ma
nagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)"
)(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn =
"ld
ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2