[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd.conf Access Question
If I understand you correctly, cn=Admins,o=myorg,c=us is a role, but
your rule is treating it as a base under which DN's would belong (e.g.
uid=me,cn=Admins,o=myorg,c=us). What you want is a rule that searches
the attributes of that DN and tests for a matching roleOccupant, like
this:
by group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us" write
What this rule says is that "cn=Admin..." is a group of objectclass
organizationalRole, where each member is identified by the attribute
roleOccupant.
So... your record should look like this (stripped down -- you prob.
want/need more attributes):
dn: cn=Admins,o=myorg,c=us
objectClass: organizationalRole
cn: Admins
roleOccupant: cn=me,o=myorg,c=us
roleOccupant: cn=you,o=myorg,c=us
...
Does that make sense?
Matt
On Fri, 2003-06-06 at 08:16, Mike Carpenter wrote:
> I just wanted to take a moment to thank everyone who has answered my
> questions. You have really helped get my LDAP project off the ground.
>
> However, now another question has arisen.
>
> In the slapd.conf file, I am trying to set-up the access rights so my
> administrators don't need to authenticate using the rootdn.
>
> My access rules are as follows:
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn.base="cn=Admins,o=myorg,c=us" write
> by * none
>
> access to *
> by self write
> by dn.base="cn=Admins,o=myorg,c=us" write
> by * read
>
> cn=Admins,o=myorg,c=us being an organization role with several
> roleoccupant attributes, each one containing a DN of a directory
> administrator.
>
> It appears that the 1st access rule is working correctly, since people
> in the group can see and manage the password while people outside the
> group can not see the attribute, however the second access rule is not
> working at all. It appears that everyone only has read access except
> the rootdn of course.
>
> Thanks again.
>
--
M Butcher <mbutcher@grcomputing.net>