[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting up groups under OpenLDAP

Hi there,

I read through the FAQ-o-matic on setting up groups for access control
(http://www.openldap.org/faq/data/cache/52.html), but still seem to be
having problems - if I connect to the server as a member of the
"administrators" group, I still can't modify attributes of contexts other
than the one I've binded as, and I can't create or delete any subcontexts.
Perhaps its with my interpretation of the solution.  Can anybody help me

Here's my slapd.conf:
database	ldbm
suffix		"o=cascade, c=au"
directory	/usr/local/ldap/data
rootdn		"uid=root, o=cascade, c=au"
rootpw		(password)

loglevel		4095

access to *
	by self write
	by group="cn=Administrators,ou=groups,o=cascade,c=au" (do we need the
o=cascade,c=au if the suffix is set to this above?)
	by dn=".+" read
	by * read

Here's my tree structure, with some test entities added:

|  |
|  +-uid=dan
|  +-uid=another

Now, the uid=dan entry has a userPassword attribute set to binary data, and
I can successfully connect using this context and password, and view the
entire tree structure.

The cn=administrators has a the attribute member set to

When I try to add the attribute "test" to uid=another, the log reports
"acl_access_allowed: matched by clause #3 access denied, and error code 50
is returned.

Can anybody tell me where I'm going wrong here, or where some further
documentation is to lead me down the right path?

Thanks :)

Dan Makovec
e-mail  dan@fatcanary.com.au <mailto:dan@fatcanary.com.au>
ICQ     1398090
Every day is a gift, that's why the present is so named