[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group access "write" in OpenLDAP 2.1.4

fre, 2002-09-13 kl. 07:26 skrev Michiko Nagara:

> I have created the following group.
> (made reference to FAQ: 
>  How do I use groups as manage access contorls?)

> +-dc=example,dc=com
> +--cn=administrators,dc=example,dc=com
> +--cn=fred blogs,dc=example,dc=com 

You haven't said whether you've made a record for Fred Bloggs, but I
presume you have.

> dn:cn=administrators,dc=example,dc=com
> cn: administrators of this region
> objectclass: groupOfNames
> objectclass: top
> member: cn=fred blogs,dc=example,dc=com 
> member: cn=somebody else,dc=example,dc=com


> access to *
>       by group="cn=administrators,dc=example,dc=com" write  
>       by * auth

I have a group, peoplemanagers, that has *limited* rights to change
certain attributes of members of a local group. These attributes are
personal details, such as phone number, password etc.

This is the relevant line from my ACL, it works :-) This is on a single

by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
dnattr=member write

> When I tried to modify dn "cn=fred blogs,dc=example,dc=com",
> it works fine.
> But when I tried to search filter "(objectclass=*)", I got
> no entries.

Well, it works for me (with 2.1.4 /Berkeley 4.0.14). So, have you
indexed objectclass in slapd.conf (eq,pres), and have you run slapindex
(don't forget that the indices in the DB directory have to be able to be
read by the slapd user).




Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel