[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Setting up groups under OpenLDAP
Hi there,
I read through the FAQ-o-matic on setting up groups for access control
(http://www.openldap.org/faq/data/cache/52.html), but still seem to be
having problems - if I connect to the server as a member of the
"administrators" group, I still can't modify attributes of contexts other
than the one I've binded as, and I can't create or delete any subcontexts.
Perhaps its with my interpretation of the solution. Can anybody help me
here?
Here's my slapd.conf:
-----------------------------------
database ldbm
suffix "o=cascade, c=au"
directory /usr/local/ldap/data
rootdn "uid=root, o=cascade, c=au"
rootpw (password)
loglevel 4095
access to *
by self write
by group="cn=Administrators,ou=groups,o=cascade,c=au" (do we need the
o=cascade,c=au if the suffix is set to this above?)
by dn=".+" read
by * read
-----------------------------------
Here's my tree structure, with some test entities added:
o=cascade,c=au
|
+-ou=people
| |
| +-uid=dan
| +-uid=another
|
+-ou=groups
|
+-cn=Administrators
Now, the uid=dan entry has a userPassword attribute set to binary data, and
I can successfully connect using this context and password, and view the
entire tree structure.
The cn=administrators has a the attribute member set to
"uid=dan,ou=people,o=cascade,c=au"
When I try to add the attribute "test" to uid=another, the log reports
"acl_access_allowed: matched by clause #3 access denied, and error code 50
is returned.
Can anybody tell me where I'm going wrong here, or where some further
documentation is to lead me down the right path?
Thanks :)
D.
Dan Makovec
e-mail dan@fatcanary.com.au <mailto:dan@fatcanary.com.au>
ICQ 1398090
Every day is a gift, that's why the present is so named