Results as I see them
The non-admin user must move an entry from the People group to the AMI group. The operation fails with the message:
Error while moving entry
- [LDAP result code 50 - insufficientAccessRights]
The entry uid=user11,ou=People,dc=example,dc=com
cannot be renamed due to insufficient access rights
If the same user copies the entry and removes it - no problems. If the root user moves the entry - no problems.
The simple renaming is impossible for the non-admin user, with the same message.
How can I permit the user to rename?
Surroundings and settings:
- OpenDJ v4.5 is used as an LDAP server
- Apache Development Studio is used as a client
The server has three ou:
ou=Administrators,dc=example,dc=com- where the only non-admin user livesou=AMI,dc=example,dc=com- AMI groupou=People,dc=example,dc=com- People group
The non-admin user is:
uid=idm,ou=Administrators,dc=example,dc=com
By the client I imported the following permission into the dc=example,dc=com root:
aci: (target="ldap:///dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "IDM Access"; allow (all,proxy,import,export) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";)
You can notice that all possible sorts of targetattr and allow are covered, according to the Administration Guide.
Option "update existing entries" was checked while importing. The import shows no errors.
I thought that maybe, I should set for the user not permissions, but privileges. Alas, in the list of privileges I saw no one that looked as (allow to rename)
As documented (https://backstage.forgerock.com/docs/opendj/3.5/admin-guide/#aci-permissions), to move an entry you need the import and export permissions in Aci. These permissions are not included in “all”.