[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Setting up groups under OpenLDAP

According to my understanding of the FAQ page
(http://www.openldap.org/faq/data/cache/52.html), I can set up the entry
"cn=Administrators,ou=groups,o=cascade,c=au", and set its objectclass
attribute to groupofNames.  Then I set its member attribute to include the
value "uid=dan,ou=people,o=cascade,c=au".

access to *
   by group "cn=Administrators,ou=groups,o=cascade,c=au" write
   by dn=".+" read
   by * read

rule then should hopefully mean that if I bind to the server as any name
specified in the named group's member attribute, I should be given write
permission to any entry in the database.  Is this a correct assumption?

I've just noticed that I haven't set the objectclass for
cn=Administrators... to "top". Will this affect things?


Dan Makovec
e-mail  dan@fatcanary.com.au <mailto:dan@fatcanary.com.au>
ICQ     1398090
Every day is a gift, that's why the present is so named

> -----Original Message-----
> From: Benjamin de los Angeles Jr. [mailto:bench@surfshop.net.ph]
> Sent: Monday, 17 April 2000 19:10
> To: Dan
> Cc: openldap-software@openldap.org
> Subject: RE: Setting up groups under OpenLDAP
> What's the access permission for
> access to *
>    by group="cn=Administrators,ou=groups,o=cascade,c=au"
> On Mon, 17 Apr 2000, Dan wrote:
> > Hi there,
> >
> > > Error code 50 means you have insufficient access. It's true, acl's are
> > > applied to the user used to bind to LDAP.  Make sure you are
> binding as a
> > > user with the right acl to modify things.
> >
> > Yeah I bind as uid=dan, which should be a member of the
> cn=Administrators
> > group, which should be configured to have write access to all
> in slapd.conf
> > (see the original message).  Any ideas which acl setting I may
> have missed?
> >