[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: unknown LDAP result code (-30990): using groups to manage ACL's

--On Friday, January 30, 2004 11:28 AM -0800 Chris Paul <chris.paul@sentinare.net> wrote:

Now, as someone a bit green with OpenLDAP, I'm wondering what would be a
workaround or another way to create some roles in OpenLDAP?

What I'd like to do is be able to put a user in a "admin group". Or
populate another object (organizationalRole?) with admins. I don't want
to have to modify an ACL to add an administrator.

Any recipes anyone care to share?

We use groups. ;) But I haven't used back-ldap.

We basically have:

dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: supervisor
member: uid=quanah,cn=Accounts,dc=stanford,dc=edu

# $Id: slapd.acl,v 1.126 2004/01/30 06:20:23 quanah Exp $
# ACL include file for slapd

access to dn.base=""
       by * read

access to dn.base="cn=monitor"
       by * read

access to *
by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 write
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read
by * break

[rest of acl's]


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html