[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group administration ACL

fre, 2002-12-06 kl. 02:23 skrev Stephen:
> I'd like to allow a group of administrators to maintain a portion of the 
> LDAP tree. The OpenLDAP document provides a hint on how to do this, but 
> no examples, i.e.
>         dnattr=<dn-valued attribute name
> Here is an example of what I want to do ...
> For instance with a goup of unique names:
> dn: cn=Directory Administrators, ou=Groups, o=airius.com
> cn: Directory Administrators
> objectclass: top
> objectclass: groupofuniquenames
> ou: Groups
> uniquemember: uid=kvaughan, ou=People, o=airius.com
> uniquemember: uid=rdaugherty, ou=People, o=airius.com
> uniquemember: uid=hmiller, ou=People, o=airius.com

> The ACL commonly provided in slapd.conf is
>    access to attr=userPassword
>         by self write
>         by anonymous auth
>         by * none
> So what would the ACL look like if access to userPassword was also 
> allowed for everyone in the LDAP groupofuniquenames "Directory 
> Administrators"?

I have a group for managers who can change other attributes than
userPassword for members in given groups. I use groupOfNames, but the
principle is the same. It works well:

 by group="cn=peoplemanagers,ou=groups,dc=example,dc=com" dnattr=member




Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl