Здравствуйте! У меня все работает как надо =). Вот тестовый slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to *
by self read
by users read
by anonymous auth
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "o=mycompany.com"
directory /var/openldap/mycompany.com
rootdn "cn=Manager,o=mycompany.com"
rootpw secret
access to dn.subtree="ou=Employees,o=mycompany.com"
attrs=children,entry
by set="[cn=ldapmanagers,ou=Groups,o=mycompany.com]/memberUid & user/uid" =ar
access to dn.subtree="ou=Employees,o=mycompany.com" filter=(objectClass=inetOrgPerson)
by set="[cn=ldapmanagers,ou=Groups,o=mycompany.com]/memberUid & user/uid" =arscdx continue
by * break
access to dn.subtree="ou=Employees,o=mycompany.com" filter=(objectClass=inetOrgPerson)
attrs=jpegPhoto,homePhone,mobile
by set="[cn=ldapmanagers,ou=Groups,o=mycompany.com]/memberUid & user/uid" write
by * break
Поскольку Вашего класса у меня не было, я использовал inetOrgPerson и его атрибуты, но суть та же.
Вот первоначальное содержимое DIT:
dn: o=mycompany.com
objectClass: organization
o: mycompany.com
dn: ou=Employees,o=mycompany.com
objectClass: organizationalUnit
ou: Employees
dn: uid=egor,ou=Employees,o=mycompany.com
objectClass: inetOrgPerson
objectClass: posixAccount
uid: egor
cn: Egor
sn: Egor
uidNumber: 1001
gidNumber: 1000
homeDirectory: /home/egor
userPassword: egor
mobile: 89xxxxxxxxx
dn: ou=Groups,o=mycompany.com
objectClass: organizationalUnit
ou: Groups
dn: cn=ldapmanagers,ou=Groups,o=mycompany.com
objectClass: posixGroup
cn: ldapmanagers
gidNumber: 1000
memberUid: egor
Теперь я пытаюсь добавить такого пользователя:
dn: uid=olegd,ou=Employees,o=mycompany.com
objectClass: inetOrgPerson
uid: olegd
cn: Oleg
sn: D
mobile: 89xxxxxxxxx
# ldapadd -x -D 'uid=egor,ou=Employees,o=mycompany.com' -W -f ./002-new_user.ldif
Enter LDAP Password:
adding new entry "uid=olegd,ou=Employees,o=mycompany.com"
Занёсся =). Теперь откорректируем его:
dn: uid=olegd,ou=Employees,o=mycompany.com
changetype: modify
replace: mobile
mobile: +79xxxxxxxxx
# ldapmodify -x -D 'uid=egor,ou=Employees,o=mycompany.com' -W -f ./003-modify_user.ldif
Enter LDAP Password:
modifying entry "uid=olegd,ou=Employees,o=mycompany.com"
Все опять сработало =).
Проверки на slapacl:
# slapacl -f /etc/openldap/slapd.conf -v -D 'uid=egor,ou=Employees,o=mycompany.com' -b "ou=Employees,o=mycompany.com"
authcDN: "uid=egor,ou=employees,o=mycompany.com"
entry: =ar
children: =ar
objectClass=organizationalUnit: =0
ou=Employees: =0
structuralObjectClass=organizationalUnit: =0
entryUUID=539e9a9f-4b1c-4bc7-9d2e-4a471561ccb6: =0
creatorsName=cn=manager,o=mycompany.com: =0
createTimestamp=20121107234031Z: =0
entryCSN=20121107234031.220046Z#000000#000#000000: =0
modifiersName=cn=manager,o=mycompany.com: =0
modifyTimestamp=20121107234031Z: =0
# slapacl -f /etc/openldap/slapd.conf -v -D 'uid=egor,ou=Employees,o=mycompany.com' -b "uid=olegd,ou=Employees,o=mycompany.com"
authcDN: "uid=egor,ou=employees,o=mycompany.com"
entry: =ar
children: =ar
objectClass=inetOrgPerson: =arscxd
uid=olegd: =arscxd
cn=Oleg: =arscxd
sn=D: =arscxd
structuralObjectClass=inetOrgPerson: =arscxd
entryUUID=3a0a179f-8ff0-41ca-b09b-d20dcadb4b77: =arscxd
creatorsName=uid=egor,ou=Employees,o=mycompany.com: =arscxd
createTimestamp=20121107234143Z: =arscxd
mobile=+79xxxxxxxxx: write(=wrscxd)
entryCSN=20121107234158.275632Z#000000#000#000000: =arscxd
modifiersName=uid=egor,ou=Employees,o=mycompany.com: =arscxd
modifyTimestamp=20121107234158Z: =arscxd
Всё согласно ACL (см., например, атрибут mobile).
Егор