[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Adding administrators to LDAP

I used ldapdelete and removed my sysadmin group that had the
objectClass=posixGroup.  I then added the sysadmin group again with the
objectclass=groupOfNames and added the dn for it in my ACL rules in
slapd.conf.  I then restart ldap, and since I was a 'member=
uid=jhoot,ou=people,dc=nowcom,dc=com' of cn=sysadmin, and tried to change the
password of another user.  The following is what I used to add the sysadmin
entry, what I used as my ACL, and finally what I used to try and change the
password for another user.

[jhoot@plastic scripts]$ ldapadd -D cn=manager,dc=nowcom,dc=com -W
Enter LDAP Password:
member= uid=jhoot,ou=people,dc=nowcom,dc=com
member= uid=bbrookie,ou=people,dc=nowcom,dc=com
member= uid=ddimick,ou=people,dc=nowcom,dc=com 

# Allow the manager and user to change the user's password
access to attrs=userpassword
        by self write
        by dn="cn=Manager,dc=nowcom,dc=com" write
        by dn="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
        by * search
#       by anonymous auth

[jhoot@plastic scripts]$ ldapmodify -D uid=jhoot,ou=people,dc=nowcom,dc=com -W
Enter LDAP Password:
modifying entry uid=ddimick,ou=people,dc=nowcom,dc=com
ldap_modify: Insufficient access

Vetle Roeim <vetler@opera.com> said:

> * Joseph Hoot
> > What is the best way to add System Administrators to the LDAP server?  I
> > using the following group and adding cn=sysadmin,ou=Group,dc=nowcom,dc=com
> > a couple ACL's with write privileges, but that didn't seem to work.  What
> > want to do is to be able to add something like the following group and
> > add cn=sysadmin,ou=Group,dc=nowcom to the ACLs.  If I do use something
> > the following, how do I bind?  Do I bind with
> > uid=jhoot,ou=people,dc=nowcom,dc=com or do I bind with
> > and just use the passwd from my uid user?
> I'm not familiar with the objectclass 'posixGroup', but I can tell you
> what will work.
> Create a group, cn=sysadmin,ou=Group,dc=nowcom,dc=com, for instance,
> with 'groupOfNames' as the objectclass.
> Then put the dn of the members of this group into the 'member'
> attribute and use the DN of this object in the ACL.
> It should then be possible for the members of the group to bind with
> their own DN's and have the accessrights of the group.
> HTH,
> vr