# openldap acl issue (no write access to parent)

## pactoo

Hello,

I do have trouble with openldap acls. I've tried to define an admin group, but this does not work.

The user:

```

dn: cn=ldapadmins,o=ORG,c=DE

objectClass: groupOfUniqueNames

cn: ldapadmins

uniqueMember: uid=admin1,ou=gods,o=ORG,c=DE

uniqueMember: uid=admin2,ou=gods,o=ORG,c=DE

dn: uid=admin1,ou=gods,o=ORG,c=DE

objectClass: inetOrgPerson

objectClass: top

cn: Bastard Operator

sn: Operator

givenName: Bastard

uid: admin1

userPassword:: e1NTSEF9RkJDNEltblJrQ2luRvdD3m1hdPOXNzTDZFbGpRVVE=

```

The acl:

```

access to *

        by group.exact="cn=ldapadmins,o=ORG,c=DE"    manage

        by users                                        read

        by anonymous                                    auth

        by *                                            none

```

The Error:

```

#ldapdelete -v 'some DN' -D 'uid=admin1,ou=gods,o=ORG,c=DE' -W

ldap_initialize( <DEFAULT> )

Enter LDAP Password:

deleting entry "some DN"

ldap_delete: Insufficient access (50)

        additional info: no write access to parent

```

So, despite admin1 being in the ldapadmins group and this group having full access (manage), I cannot delete an entry. ldapsearch works. I am not sure where the error is. There are some similar cases about this in google, but those are way more compilcated and therefore not really usable.

----------

## nativemad

Hi, 

i actually don't know where the difference between "manage" and "write" is, but maybe it is exactly the delete function!? -I use "write"!

Funny, this is from http://www.zytrax.com/books/ldap/ch6/  ... 

 *Quote:*   

> manage - The objects defined in the <what> clause may be managed.
> 
> write - The objects defined in the <what> clause may be written to.

 

which one has higher permissions now!?

----------

## pactoo

 *nativemad wrote:*   

> which one has higher permissions now!?

 

manage

Manage is (supposed) to be to openldap what root is to unix. That includes creation and deletion of objects

See: http://www.openldap.org/doc/admin24/access-control.html chapter 8.2.3

Edit: But my problem still persists

----------

## nativemad

hmm... 

Do you have any other rule that could interfere? 

You should use "by * break" as end of every rule... Just the last one should have "by * none".

----------

## pactoo

No, these all all rules. It is still a very simple setup with a very simple DIT

----------

## Sven Vermeulen

 *pactoo wrote:*   

> Hello,
> 
> I do have trouble with openldap acls. I've tried to define an admin group, but this does not work.
> 
> The user:
> ...

 

Iirc, group.exact only works with groupOfNames/member.

In your slapd.conf, instead of group.exact, use 

```

access to *

  by group/groupOfUniqueNames/uniqueMember.exact="cn=ldapadmins,o=ORG,c=DE" manage

```

----------

