[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL : by group

I am using openldap 2.0.23 on RedHat. The server is performing local
authentication for ssh, pop, etc.

I have created an administrator group:

dn: cn=administrator,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: administrator
userPassword:: e2NyeXB0fXg=
gidNumber: 503
memberUid: chris

I would like members of this group to modify, delete ldap entries - so I
have attempted the following ACL:

access to attrs=userPassword,loginShell
        by self write
        by anonymous auth
        by group="cn=administrator,ou=Group,dc=example,dc=com" write
        by * none
access to *
        by * read

However, when I attempt to modify an entry using an administrator account, I
get the following:

ldapmodify -x -D
"uid=chris,ou=employee,ou=people,dc=example,dc=com" -W -v -f /tmp/ldifmod4
Enter LDAP Password:
replace loginShell:
modifying entry "uid=joe,ou=Employee,ou=People,dc=example,dc=com"
ldap_modify: Insufficient access

I've probably got the ACL wrong somewhere - could someone give me a nudge in
the right direction please.

Many Thanks,