[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

To: Jukka Hienola <jukka.hienola@helsinki.fi>
Subject: Re: ACL question
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 21 Dec 2005 16:29:03 +0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <43A95A53.9050003@helsinki.fi>
Organization: Telkom Internet
References: <43A934DB.1070501@helsinki.fi> <43A95A53.9050003@helsinki.fi>
User-agent: KMail/1.9

On Wednesday 21 December 2005 15:36, Jukka Hienola wrote:
> Hi again,
>
> I'm just trying to create an ACLs which would give group
>
>    cn=Domain Admins,ou=Groups,dc=my,dc=domain
>
> members an access to add, modify and delete entries from groups

I assume this is for use by samba.

But, what dn is actually going to make these changes? Is it *really* the DN of 
real users (members of the samba group Domain Admins), or is it using the DN 
you have configured for samba/smbldap-tools (or similar) etc (with samba 
controlling the use of this dn via rights).

>    ou=Users,dc=my,dc=domain
>    ou=Groups,dc=my,dc=domain
>    ou=Computers,dc=my,dc=domain
>    ou=Printers,dc=my,dc=domain
>
> I just noticed that e.g. my group 'Domain Admins' (created with
> smbldap-populate script) doesn't include objectClass groupOfNames, but
> only posixGroup and sambaGroupMapping, and group members are defined by
> attribute memberUid. So I tried following
>
>    access to dn="ou=Users,dc=my,dc=domain"
>      by group/posixGroup/memberUid.exact="cn=Domain \
> 				Admins,ou=Groups,dc=my,dc=domain"
>      by * none
>
> but when I run slaptest, it returned an error
>
>    /etc/openldap/slapd.conf: line 139: group "cn=Domain \
> 	Admins,ou=Groups,dc=physics,dc=helsinki,dc=fi": \
> 	inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26

This is the syntax of memberUid, whereas I it wants a dn syntax.

>
> <access clause> ::= access to <what> [ by <who> <access> [ <control> ]
> ...
> <who> ::= [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
> ...
>
> Shouldn't that be consistent with my ACL definition for group?

A group for OpenLDAP has values with DN's, not uid's.

> Should I 
> add e.g. groupOfNames object class to my group entries and define group
> members with Member attribute?

Well, I instead use a groupOfNames cn=Domain Controllers, have DN's for each 
host, and add those as member's of cn=Domain Controllers, and give that group 
rights to create users.

You may be interested in this example:
http://cvs.mandriva.com/cgi-bin/cvsweb.cgi/SPECS/openldap/slapd.access.conf

Which also shows that you don't need a huge list of attributes, use the 
objectclass instead (ie @sambaSamAccount).

Note that the samba aspects of this are quite off-topic ...

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpJsFAhknVoT.pgp
Description: PGP signature

Follow-Ups:
- Re: ACL question
  - From: Jukka Hienola <jukka.hienola@iki.fi>

References:
- ACL question
  - From: Jukka Hienola <jukka.hienola@helsinki.fi>
- Re: ACL question
  - From: Jukka Hienola <jukka.hienola@helsinki.fi>

Prev by Date: Re: openldap libraries & filters
Next by Date: Re: openldap libraries & filters
Index(es):
- Chronological
- Thread