[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: User-Managed Groups
Am Fri, 7 Mar 2014 11:11:23 -0800
schrieb Tim Gustafson <tjg@ucsc.edu>:
> Hi,
>
> I've had OpenLDAP set up for a while now such that users can create
> groups and manage the groups that they've created. I've achieved this
> by creating a new objectClass (called "managedGroup") which adds the
> "manager" attribute, and then I've set up ACLs like this:
>
> olcAccess: {14}to dn.base="ou=Groups,dc=whatever"
> attrs=children
> by users add
> by * break
> olcAccess: {15}to dn.subtree="ou=Groups,dc=whatever"
> filter="(&(objectClass=posixGroup)(objectClass=managedGroup)(gidNumber>=1000))"
> attrs=entry
> by users add
> by * break
> olcAccess: {16}to dn.subtree="ou=Groups,dc=whatever"
> attrs=cn,manager,memberUid,description
> by set.exact="this/manager & user" write
> by * break
>
> I also have the "unique" overlay installed to prevent multiple groups
> from having the same "cn" or "gidNumber".
>
> I've got a request from users to be able to re-name their groups now
> too. I tried changing "by users add" to "by users write" in clause
> 14, and added the "entry" attribute to "attrs=" in clause 16, but the
> server is still not letting users re-name their groups. The output of
> the log file looks like this:
>
> slapd[44745]: => acl_get: [16] attr entry
> slapd[44745]: => acl_mask: access to entry
> "cn=test-1234,ou=Groups,dc=whatever", attr "entry" requested
> slapd[44745]: => acl_mask: to all values by
> "uid=g-guest,ou=people,dc=whatever", (=0)
> slapd[44745]: <= check a_dn_pat: users
> slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop)
> slapd[44745]: <= acl_mask: [1] mask: add(=arscxd)
> slapd[44745]: => slap_access_allowed: write access denied by
> add(=arscxd) slapd[44745]: => access_allowed: no more rules
>
> What am I missing?
>
access to dn.base=ou=groups,dc=whatever
attrs=entry,children by .... read
-Dieter
--
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E