[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

Hi again,

I'm just trying to create an ACLs which would give group

  cn=Domain Admins,ou=Groups,dc=my,dc=domain

members an access to add, modify and delete entries from groups


I just noticed that e.g. my group 'Domain Admins' (created with smbldap-populate script) doesn't include objectClass groupOfNames, but only posixGroup and sambaGroupMapping, and group members are defined by attribute memberUid. So I tried following

  access to dn="ou=Users,dc=my,dc=domain"
    by group/posixGroup/memberUid.exact="cn=Domain \ 		
    by * none

but when I run slaptest, it returned an error

  /etc/openldap/slapd.conf: line 139: group "cn=Domain \ 		
	Admins,ou=Groups,dc=physics,dc=helsinki,dc=fi": \
	inappropriate syntax:

<access clause> ::= access to <what> [ by <who> <access> [ <control> ]
<who> ::= [group[/<objectclass>[/<attrname>]][.<style>]=<group>]

Shouldn't that be consistent with my ACL definition for group? Should I add e.g. groupOfNames object class to my group entries and define group members with Member attribute?

IT Services Administrator, Department of Physical Sciences,
University of Helsinki, firstname lastname at helsinki fi,
tel. +358 (0)9 191 50713, fax. +358 (0)9 191 50610