[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

On Wednesday 21 December 2005 15:36, Jukka Hienola wrote:
> Hi again,
> I'm just trying to create an ACLs which would give group
>    cn=Domain Admins,ou=Groups,dc=my,dc=domain
> members an access to add, modify and delete entries from groups

I assume this is for use by samba.

But, what dn is actually going to make these changes? Is it *really* the DN of 
real users (members of the samba group Domain Admins), or is it using the DN 
you have configured for samba/smbldap-tools (or similar) etc (with samba 
controlling the use of this dn via rights).

>    ou=Users,dc=my,dc=domain
>    ou=Groups,dc=my,dc=domain
>    ou=Computers,dc=my,dc=domain
>    ou=Printers,dc=my,dc=domain
> I just noticed that e.g. my group 'Domain Admins' (created with
> smbldap-populate script) doesn't include objectClass groupOfNames, but
> only posixGroup and sambaGroupMapping, and group members are defined by
> attribute memberUid. So I tried following
>    access to dn="ou=Users,dc=my,dc=domain"
>      by group/posixGroup/memberUid.exact="cn=Domain \
> 				Admins,ou=Groups,dc=my,dc=domain"
>      by * none
> but when I run slaptest, it returned an error
>    /etc/openldap/slapd.conf: line 139: group "cn=Domain \
> 	Admins,ou=Groups,dc=physics,dc=helsinki,dc=fi": \
> 	inappropriate syntax:

This is the syntax of memberUid, whereas I it wants a dn syntax.

> <access clause> ::= access to <what> [ by <who> <access> [ <control> ]
> ...
> <who> ::= [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
> ...
> Shouldn't that be consistent with my ACL definition for group?

A group for OpenLDAP has values with DN's, not uid's.

> Should I 
> add e.g. groupOfNames object class to my group entries and define group
> members with Member attribute?

Well, I instead use a groupOfNames cn=Domain Controllers, have DN's for each 
host, and add those as member's of cn=Domain Controllers, and give that group 
rights to create users.

You may be interested in this example:

Which also shows that you don't need a huge list of attributes, use the 
objectclass instead (ie @sambaSamAccount).

Note that the samba aspects of this are quite off-topic ...


Buchan Milne
ISP Systems Specialist

Attachment: pgpJsFAhknVoT.pgp
Description: PGP signature