[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - allowing a user to add a new attribute



On Mon, Apr 12, 2010 at 01:14:40PM -0400, Matt Ingram wrote:

> We're trying to implement acls that will allow our Admins to modify the 
> LDAP directory without using a generic admin account, and using their own 
> credentials within LDAP.  Our requirement is that the Admins can modify the 
> mail, uid and userPassword attributes.  Which I have working.  Part of this 
> also requires that the Admin has the ability to add those attributes.  That 
> does not work.

>From an ACL perspective there is really no difference between adding
an attribute and modifying its value.

One comment I would make about your ACLs is that in several places you
are granting read access to userPassword. This is not usually
necessary nor is it a good idea. You need 'by * auth' access to permit
authentication, but only need to give '=w' access to those who need to
change passwords. Remember that the 'write' keyword includes read access.

If your ACLs are not doing what you expect, you may need to turn on
'loglevel ACL' (see slapd.conf(5)). The output is voluminous, but it
can help you to understand what is going on.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------