Re: ACL question

[Jukka Hienola <jukka.hienola@iki.fi>]

Jukka Hienola wrote:
> Buchan Milne wrote:
>
> > I assume this is for use by samba.
> >
> > But, what dn is actually going to make these changes? Is it *really* 
> > the DN of real users (members of the samba group Domain Admins), or is 
> > it using the DN you have configured for samba/smbldap-tools (or 
> > similar) etc (with samba controlling the use of this dn via rights).
>
>
> In my case it is really DN of real users. People in Samba group Domain 
> Admins are granted an access to do what I described above (with 
> smbldap-tools), but what I really want is that all DNs in group Domain 
> Admins would have similar rights also when performing similar actions on 
> command line with ldap{search|add|modify|delete} commands, or more 
> precisely I want these people to access my LDAP directory with 
> phpldapadmin.

Got it finally working. I'm answering to myself, since I'm sick and 
tired of reading any threads which doesn't lead to any conclusion how to 
solve the original problem. My solution here may be stupid or even 
wrong, but it solved my problem.

I had to create new group to use instead of Domain Admins (used by Samba 
only):

dn: cn=Mightymouses,ou=Users,dc=my,dc=domain
objectClass: groupOfNames
objectClass: top
cn: Mightymouses
member: uid=mouse0,ou=Users,dc=my,dc=domain
member: uid=mouse1,ou=Users,dc=my,dc=domain
...

and changing required ACLs in slapd.conf to form

access to dn="ou=Users,dc=my,dc=domain" attrs=children,entry
 by 
group/groupOfNames/member="cn=Mightymouses,ou=Users,dc=my,dc=domain" write
 ...

In all documentation I found, the member attributes were in form

member: cn=Mouse 0,ou=Users,dc=my,dc=domain

instead of

member: uid=mouse0,ou=Users,dc=my,dc=domain

In my case, I couldn't make it work with the former, but only with the 
latter. This is most likely due to my (poor) directory planning, since I 
use uid instead of cn to distinguish my real users.

Jukka