[Date Prev][Date Next] [Chronological] [Thread] [Top]

Usage of groups in an access control

I use openLDAP already for years to store my users so I have to define them only once. The users can logon to both Linux and Windows (samba). Now I want to add address-books and manage the access rights.

I have a problem with the usage of groups in an access control. I want to gave addressbooks in my LDAP but they should not be accessible by everybody. I used http://www.openldap.org/faq/data/cache/52.html to configure openLDAP but it does not seem to work. I have created a group like this:

dn: cn=abk-admin,ou=Roles,dc=example,dc=com
objectClass: groupOfNames
member: cn=My ENTRY,ou=People,dc=example,dc=com
cn: abk-admin

 and an address-book like this:

dn: ou=abk1,ou=Addressbooks,dc=example,dc=com
ou: abk1
objectClass: organizationalUnit
objectClass: top

(Both entries are output of slapcat. I did not put in the attributes like creatorsName and entryUUID)

In the slapd:conf I have the following access rules:

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
        by dn="cn=admin,dc=example,dc=com" write
        by dn="cn=proxyuser,dc=example,dc=com" read
        by anonymous auth
        by self write
        by * none

access to attrs=shadowLastChange,shadowMax
        by self write
        by * read

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write
        by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read
        by * none

I searched around and changed dn.children by dn.subtree and dn.one but the result is the same. I can read the entries but I cannot insert or delete an entry. I can only do this with admin but only if the line for admin is defined. What did I do wrong or understood wrong? I tried to find the answer on the internet but was not able :(

OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39)
Debian 6.0.6