[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HELP with ACLs (dyngroup or set)

--On Tuesday, February 22, 2005 1:12 PM -0800 Owen DeLong <owen@delong.com> wrote:

I have a Fedora Core 3 server with OpenLDAP 2.2.23 installed from the
tarball on the openldap.org web site.

I am using nss_ldap 220 (Fedora distributed RPM).

I need  a way to use the authorizedService attribute (specifically
authorizedService=site-admin) to allow users to have write access to
the entire directory (that is, any user whose DN would be returned

ldapsearch -x
'(&(objectClass=posixAccount)(authorizedService=site-admin))'  dn

should have full write access to everything in the directory.

I've tried doing this with sets and with a dynamic group.  Neither appears
to work (insufficient access).

Here's my ACL using sets:

access to *
        by set="user.authorizedService & [site-admin]" write

In looking at the set ACL I use, it should be:

by set.exact="user/authorizedService & [site-admin]" write.

The FAQ on sets backs this up:


Here's my attempt using a dynamic group:

access to *
        by group="cn=site-admins,ou=groups,dc=example,dc=com"

According to the slapd.access manpage, I believe this should be:

group/groupOfURLs/memberURL="cn=site-admins,ou=groups,dc=bluewater-aquatics,dc=com" write

The DN you have in the above URL in no way matches the LDIF listed below.


Here's the dynamic group in LDIF format:
dn: cn=site-admins,ou=groups,dc=bluewater-aquatics,dc=com
objectClass: top
objectClass: groupOfURLs
cn: site-admins
memberURL: ldap:///ou=people,dc=example,dc=com??sub?

(note: linebreak between sub? and (auhorized... does not really exist
in the database, but, is here for clarity)

If anyone understands either of these concepts well enough to help me
make this work, I would be very grateful for your assistance.

I am becoming somewhat desperate to get this working.



If it wasn't crypto-signed, it probably didn't come from me.

Version: GnuPG v1.2.2 (Darwin)


-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin