[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: openldap-technical@openldap.org
Subject: Re: Admin roles by group membership per OU
From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
Date: Thu, 12 Oct 2017 09:16:24 +0200
Content-language: fr
In-reply-to: <20171011153114.GA6037@arxnet.hu>
Organization: Savoir-Faire Linux
References: <20171011153114.GA6037@arxnet.hu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1



Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth


The rule {2} catches all requests (to *  by *) so rule {3} is never applied.

You can do :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write byanonymous auth by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" byself write by group.exact="cn=groupabcadmin,ou=ABCCustomer,dc=mycompany,dc=hu" write by * none

olcAccess: {3}to * by * read


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Follow-Ups:
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>

Prev by Date: Re: Replication error
Next by Date: Re: Replication error
Index(es):
- Chronological
- Thread