[KLUG Members] OpenLDAP + TLS

[Adam Tauno Williams]

>I am also having one other small issue. If I add
>a cn, and want to allow that cn to only write to one branch of the
>tree, I would think the following access controls would work:
>access to dn="ou=contacts,dc=dom,dc=com"
>          by      dn="cn=email,dc=dom,dc=com"           write
>access to *
>         by      dn="cn=Manager,dc=dom,dc=com"         write

If I understand correctly what you are trying to do, I think you want -

access to dn="ou=People,o=Morrison Industries,c=US"
  attrs=children,entry
  by dn="cn=Manager,dc=com,dc=com" write
access to dn=".*,ou=People,o=Morrison Industries,c=US"
  by dn="cn=Manager,dc=com,dc=com" write

Ability create/delete objects is seperate from the ability to create/delete
attributes in an object (more or less).

To be perfect I'd add an attrs clause to the second rule to only allow the
attributes that belong to the objectclass you expect the manager to be creating
there.  That way they can't create potentially bad objects (service entries,
etc..) there and muck things up.

>I am consistently getting permission denied when I bind as the
>user email :( According to the openldap site and Adam's awesome
>LDAPv3 presentation, I thought this would work. So far no go :(

You get an error binding or attmepting to modify?  What is your default access?
 The DSA will need to give auth access to objects you expect to use in
authentication if your defaultaccess is set to none as that applies to the DSA
itself as well.