[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Am I still struggling with ACLs?

To: OpenLDAP List <openldap-software@OpenLDAP.org>
Subject: Re: Am I still struggling with ACLs?
From: Josiah Ritchie <jritchie@bible.edu>
Date: Mon, 19 Jul 2004 09:39:45 -0400
In-reply-to: <40FB8293.9000306@agora.msa.fr>
Organization: Washington Bible College/Capital Bible Seminary
References: <1090004029.10844.91.camel@penguin> <40FB8293.9000306@agora.msa.fr>

On Mon, 2004-07-19 at 04:13, Alexandre Garel wrote:
> Josiah Ritchie a écrit :
> 
> >I'm trying to make changes to the database as a different user than the
> >Manager and I am running into problems. I've played with the ACLs a lot
> >and from what I can tell they are good, but if I change them to just
> >"access to * by * write" things work as expected. I've been reading tons
> >of stuff, and must be missing one obvious thing that is assumed or
> >something. Your help again is appreciated. Here's the issue in detail...
> >
> >// I'm trying to run this command:
> ># ldapmodify -W 
> > -D "uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu"
> >
> >// I enter this change:
> >dn: cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
> >changetype: modify         
> >add: memberUid
> >memberUid: JasonStroup
> >
> >// And get this response:
> >modifying entry "cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu"
> >ldapmodify: update failed: cn=Domain
> >Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
> >ldap_modify: Insufficient access (50)
> >
> >// I'm using the following ACLs:
> >
> >access to attr=userPassword
> >        by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
> >        by group.exact="cn=Domain
> >Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
> >        by self write
> >        by anonymous auth
> >        by * none break
> >  
> >
> >access to *
> >        by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
> >        by group.exact="cn=Domain
> >Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
> >        by self write
> >        by * read
> >  
> >
> >allow bind_v2
> >
> >// uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu is listed as
> >a memberUid attr in cn=Domain
> >Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
> >  
> >
> It seems that by default openldap except a group of name with attribute 
> member. If you use a different objectClass and attribute for members 
> (memberUid), you shall precise it 
> group[/<objectclass>[/<attrname>]][.<style>]=<pattern> (see slapd.access).

So are you saying I need to write the ACL like this:
access to * by group/posixGroup/memberUid="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write

What is the default object class that would not require me to do it this
way?

Thanks,
JSR/

Follow-Ups:
- Re: Am I still struggling with ACLs?
  - From: "Alexandre Garel" <garel.alexandre@agora.msa.fr>

References:
- Am I still struggling with ACLs?
  - From: Josiah Ritchie <jritchie@bible.edu>
- Re: Am I still struggling with ACLs?
  - From: "Alexandre Garel" <garel.alexandre@agora.msa.fr>

Prev by Date: Re: Am I still struggling with ACLs?
Next by Date: Re: Am I still struggling with ACLs?
Index(es):
- Chronological
- Thread