[Date Prev][Date Next]
HELP with ACLs (dyngroup or set)
I have a Fedora Core 3 server with OpenLDAP 2.2.23 installed from the
tarball on the openldap.org web site.
I am using nss_ldap 220 (Fedora distributed RPM).
I need a way to use the authorizedService attribute (specifically
authorizedService=site-admin) to allow users to have write access to
the entire directory (that is, any user whose DN would be returned
ldapsearch -x '(&(objectClass=posixAccount)(authorizedService=site-admin))'
should have full write access to everything in the directory.
I've tried doing this with sets and with a dynamic group. Neither appears
to work (insufficient access).
Here's my ACL using sets:
access to *
by set="user.authorizedService & [site-admin]" write
Here's my attempt using a dynamic group:
access to *
Here's the dynamic group in LDIF format:
(note: linebreak between sub? and (auhorized... does not really exist
in the database, but, is here for clarity)
If anyone understands either of these concepts well enough to help me
make this work, I would be very grateful for your assistance.
I am becoming somewhat desperate to get this working.
If it wasn't crypto-signed, it probably didn't come from me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----