[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fw: slapd.conf Access Question


I believe so, but just to make sure...

I should change the access rule in the conf file to say:
access * by dn.group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us" write

My object for the organizationalRole is exactly as you have listed below, so on that I was on the right path.
----- Forwarded by Mike Carpenter/Arnold Industries on 06/06/2003 02:08 PM -----
M Butcher <mbutcher@grcomputing.net>

06/06/2003 12:41 PM

       
        To:        Mike Carpenter <MCarpenter@roadwaynextday.com>
        cc:        openldap-software@OpenLDAP.org
        Subject:        Re: slapd.conf Access Question



If I understand you correctly, cn=Admins,o=myorg,c=us is a role, but
your rule is treating it as a base under which DN's would belong (e.g.
uid=me,cn=Admins,o=myorg,c=us). What you want is a rule that searches
the attributes of that DN and tests for a matching roleOccupant, like
this:

by group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us" write

What this rule says is that "cn=Admin..." is a group of objectclass
organizationalRole, where each member is identified by the attribute
roleOccupant.

So... your record should look like this (stripped down -- you prob.
want/need more attributes):

dn: cn=Admins,o=myorg,c=us
objectClass: organizationalRole
cn: Admins
roleOccupant: cn=me,o=myorg,c=us
roleOccupant: cn=you,o=myorg,c=us
...

Does that make sense?

Matt


On Fri, 2003-06-06 at 08:16, Mike Carpenter wrote:
> I just wanted to take a moment to thank everyone who has answered my
> questions.  You have really helped get my LDAP project off the ground.
>
> However, now another question has arisen.
>
> In the slapd.conf file, I am trying to set-up the access rights so my
> administrators don't need to authenticate using the rootdn.
>
> My access rules are as follows:
>
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by dn.base="cn=Admins,o=myorg,c=us" write
>         by * none
>
> access to *
>         by self write
>         by dn.base="cn=Admins,o=myorg,c=us" write
>         by * read
>
> cn=Admins,o=myorg,c=us being an organization role with several
> roleoccupant attributes, each one containing a DN of a directory
> administrator.
>
> It appears that the 1st access rule is working correctly, since people
> in the group can see and manage the password while people outside the
> group can not see the attribute, however the second access rule is not
> working at all.   It appears that everyone only has read access except
> the rootdn of course.  
>
> Thanks again.
>  
--
M Butcher <mbutcher@grcomputing.net>