[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HELP with ACLs (dyngroup or set)

To: Owen DeLong <owen@delong.com>, openldap-software@OpenLDAP.org
Subject: Re: HELP with ACLs (dyngroup or set)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Tue, 22 Feb 2005 17:08:16 -0800
Content-disposition: inline
In-reply-to: <2147483647.1109077964@imac-en0.delong.sj.ca.us>
References: <2147483647.1109077964@imac-en0.delong.sj.ca.us>

--On Tuesday, February 22, 2005 1:12 PM -0800 Owen DeLong <owen@delong.com> wrote:

I have a Fedora Core 3 server with OpenLDAP 2.2.23 installed from the
tarball on the openldap.org web site.

I am using nss_ldap 220 (Fedora distributed RPM).

I need  a way to use the authorizedService attribute (specifically
authorizedService=site-admin) to allow users to have write access to
the entire directory (that is, any user whose DN would be returned
by:

ldapsearch -x
'(&(objectClass=posixAccount)(authorizedService=site-admin))'  dn

should have full write access to everything in the directory.

I've tried doing this with sets and with a dynamic group.  Neither appears
to work (insufficient access).

Here's my ACL using sets:

access to *
        by set="user.authorizedService & [site-admin]" write
        ...


In looking at the set ACL I use, it should be:

by set.exact="user/authorizedService & [site-admin]" write.


The FAQ on sets backs this up:

<http://www.openldap.org/faq/data/cache/1133.html>

Here's my attempt using a dynamic group:

access to *
        by group="cn=site-admins,ou=groups,dc=example,dc=com"
        ...


According to the slapd.access manpage, I believe this should be:

group/groupOfURLs/memberURL="cn=site-admins,ou=groups,dc=bluewater-aquatics,dc=com" write

The DN you have in the above URL in no way matches the LDIF listed below.

--Quanah

Here's the dynamic group in LDIF format:
dn: cn=site-admins,ou=groups,dc=bluewater-aquatics,dc=com
objectClass: top
objectClass: groupOfURLs
cn: site-admins
memberURL: ldap:///ou=people,dc=example,dc=com??sub?
	(authorizedService=site-admin)

(note: linebreak between sub? and (auhorized... does not really exist
in the database, but, is here for clarity)

If anyone understands either of these concepts well enough to help me
make this work, I would be very grateful for your assistance.

I am becoming somewhat desperate to get this working.

Thanks,

Owen

--
If it wasn't crypto-signed, it probably didn't come from me.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQFCG6BNn5zKWQ/iqj0RAlBKAJ9Mu6oirnCm2VByaDaPOAx8XTWlWQCeJ6DQ
M9RqvKXWIeSFiJWMKhAYGKI=Z4ib
-----END PGP SIGNATURE-----


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin

References:
- HELP with ACLs (dyngroup or set)
  - From: Owen DeLong <owen@delong.com>

Prev by Date: HELP with ACLs (dyngroup or set)
Next by Date: Re: Searching self-defined attributes
Index(es):
- Chronological
- Thread