[Date Prev][Date Next]
Re: Group administration ACL
fre, 2002-12-06 kl. 02:23 skrev Stephen:
> I'd like to allow a group of administrators to maintain a portion of the
> LDAP tree. The OpenLDAP document provides a hint on how to do this, but
> no examples, i.e.
> dnattr=<dn-valued attribute name
> Here is an example of what I want to do ...
> For instance with a goup of unique names:
> dn: cn=Directory Administrators, ou=Groups, o=airius.com
> cn: Directory Administrators
> objectclass: top
> objectclass: groupofuniquenames
> ou: Groups
> uniquemember: uid=kvaughan, ou=People, o=airius.com
> uniquemember: uid=rdaugherty, ou=People, o=airius.com
> uniquemember: uid=hmiller, ou=People, o=airius.com
> The ACL commonly provided in slapd.conf is
> access to attr=userPassword
> by self write
> by anonymous auth
> by * none
> So what would the ACL look like if access to userPassword was also
> allowed for everyone in the LDAP groupofuniquenames "Directory
I have a group for managers who can change other attributes than
userPassword for members in given groups. I use groupOfNames, but the
principle is the same. It works well:
by group="cn=peoplemanagers,ou=groups,dc=example,dc=com" dnattr=member
When all's said and done ...
there's nothing left to say or do.