[Date Prev][Date Next] [Chronological] [Thread] [Top]

Continued: Security question. (fwd)

To: openldap-software@OpenLDAP.org
Subject: Continued: Security question. (fwd)
From: Cliff Friedel <cliff@wrkcs.net>
Date: Fri, 30 Jun 2000 09:25:50 -0400 (EDT)

Ok, here's where I stand now. I still have this in my ldap directory:

cn=Administrators,dc=<my domain>,dc=net
cn=Administrators
objectclass=groupofNames
objectclass=top
member=cn=<member1>,dc=<my domain>,dc=net
member=cn=<member2>,dc=<my domain>,dc=net

I have now have this in my slapd.conf:

defaultaccess read
access to dn="cn=*,dc=<my domain>,dc=net
	by self write
	by dn="cn=Manager,dc=<my domain>,dc=net" write
	by group="cn=Administrators,dc=<my domain>,dc=net" write
	by * read

This still allows Manager all access to the ldap directory, but if I try
to write with member1, I get insufficient access.  Upon looking at the
logs, I see and error code of 50 (the action it tries to perform is a
mod).  One question I was thinking is:  does openldap recognize the
objectclass: groupofNames or does it need to be object: group?  I have
seen both on the net, but the RFC asks for the first one if I remember
correctly.  Any ideas?  Thanks in advance and for all the help given thus
far.

Cliff

Follow-Ups:
- Re: Continued: Security question. (fwd)
  - From: blair christensen <blair@bsd.uchicago.edu>

Prev by Date: Re: Security question.
Next by Date: Re: Continued: Security question. (fwd)
Index(es):
- Chronological
- Thread