[Date Prev][Date Next]
Re: Adding administrators to LDAP
I used ldapdelete and removed my sysadmin group that had the
objectClass=posixGroup. I then added the sysadmin group again with the
objectclass=groupOfNames and added the dn for it in my ACL rules in
slapd.conf. I then restart ldap, and since I was a 'member=
uid=jhoot,ou=people,dc=nowcom,dc=com' of cn=sysadmin, and tried to change the
password of another user. The following is what I used to add the sysadmin
entry, what I used as my ACL, and finally what I used to try and change the
password for another user.
[jhoot@plastic scripts]$ ldapadd -D cn=manager,dc=nowcom,dc=com -W
Enter LDAP Password:
# Allow the manager and user to change the user's password
access to attrs=userpassword
by self write
by dn="cn=Manager,dc=nowcom,dc=com" write
by dn="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
by * search
# by anonymous auth
[jhoot@plastic scripts]$ ldapmodify -D uid=jhoot,ou=people,dc=nowcom,dc=com -W
Enter LDAP Password:
modifying entry uid=ddimick,ou=people,dc=nowcom,dc=com
ldap_modify: Insufficient access
Vetle Roeim <email@example.com> said:
> * Joseph Hoot
> > What is the best way to add System Administrators to the LDAP server? I
> > using the following group and adding cn=sysadmin,ou=Group,dc=nowcom,dc=com
> > a couple ACL's with write privileges, but that didn't seem to work. What
> > want to do is to be able to add something like the following group and
> > add cn=sysadmin,ou=Group,dc=nowcom to the ACLs. If I do use something
> > the following, how do I bind? Do I bind with
> > uid=jhoot,ou=people,dc=nowcom,dc=com or do I bind with
> > and just use the passwd from my uid user?
> I'm not familiar with the objectclass 'posixGroup', but I can tell you
> what will work.
> Create a group, cn=sysadmin,ou=Group,dc=nowcom,dc=com, for instance,
> with 'groupOfNames' as the objectclass.
> Then put the dn of the members of this group into the 'member'
> attribute and use the DN of this object in the ACL.
> It should then be possible for the members of the group to bind with
> their own DN's and have the accessrights of the group.