[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

Jukka Hienola wrote:
Buchan Milne wrote:

I assume this is for use by samba.

But, what dn is actually going to make these changes? Is it *really* the DN of real users (members of the samba group Domain Admins), or is it using the DN you have configured for samba/smbldap-tools (or similar) etc (with samba controlling the use of this dn via rights).

In my case it is really DN of real users. People in Samba group Domain Admins are granted an access to do what I described above (with smbldap-tools), but what I really want is that all DNs in group Domain Admins would have similar rights also when performing similar actions on command line with ldap{search|add|modify|delete} commands, or more precisely I want these people to access my LDAP directory with phpldapadmin.

Got it finally working. I'm answering to myself, since I'm sick and tired of reading any threads which doesn't lead to any conclusion how to solve the original problem. My solution here may be stupid or even wrong, but it solved my problem.

I had to create new group to use instead of Domain Admins (used by Samba only):

dn: cn=Mightymouses,ou=Users,dc=my,dc=domain
objectClass: groupOfNames
objectClass: top
cn: Mightymouses
member: uid=mouse0,ou=Users,dc=my,dc=domain
member: uid=mouse1,ou=Users,dc=my,dc=domain

and changing required ACLs in slapd.conf to form

access to dn="ou=Users,dc=my,dc=domain" attrs=children,entry
by group/groupOfNames/member="cn=Mightymouses,ou=Users,dc=my,dc=domain" write

In all documentation I found, the member attributes were in form

member: cn=Mouse 0,ou=Users,dc=my,dc=domain

instead of

member: uid=mouse0,ou=Users,dc=my,dc=domain

In my case, I couldn't make it work with the former, but only with the latter. This is most likely due to my (poor) directory planning, since I use uid instead of cn to distinguish my real users.