[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and dynlist confusion

Howard Chu wrote:
Ski Kacoroski wrote:

I am using openldap 2.3.24 and have the following ACL:

# for everything else, admins can read & write
access to *
       by group="cn=LdapAdmins,ou=Groups,dc=nsd,dc=org" write
       by * none

My test account is a member of ldapadmins:

dn: cn=ldapadmins,ou=Groups,dc=nsd,dc=org
cn: ldapadmins
objectClass: nsdGroupOfMemberURLs
nsdGroupOwner: Technology
description: ldapadmins management group
memberURL: ldap:///ou=staff,ou=people,dc=nsd,dc=org??sub?(nsdGroups= ldapadmins
gidNumber: 11011
member: uid=test2,ou=staff,ou=People,dc=nsd,dc=org

However, when I try to access an object:

Why is it asking for the groupOfNames objectclass. Do I have to add this object class to my schema for dynlists?

You have to read slapd.access(5) and understand how to properly specify a group ACL.

I was not able to get groups acls to work, but I was able to get set acl's to work. If I understood a posting to the list, these is a more efficient method. The ACL I have that works is:

access to *
       by set="user/nsdGroups* & [ldapadmins]" write
       by * none

Am I missing anything here?



-- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir

Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803