Re: ACL syntax for delegating a subdomain to a group

[Gavin Henry <ghenry@suretecsystems.com>]

> {0}to attrs=userPassword by self write by anonymous auth by
> dn.children="ou=admins,dc=example,dc=com" write by
> group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
> {1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write by
> dn.children="ou=admins,dc=example,dc=com" write by
> group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
> {2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by
> * read
>
> I have tried making cn=cust_support,ou=group,dc=example,dc=com both a
> posixGroup, and a groupOfNames.  Both of them, when I go to save a new
> users, I get "insufficient access"
>
> If anyone could guide me in the correct direction, it would be greatly
> appreciated..

Hi Brian,

Your best bet is to set up something in your dev environment, if you
haven't already, then for ease switch to a simple slapd.conf testing
your ACLs with slapacl and/or ldapsearch. Once, happy convert the
slapd.conf to a slapd.d setup and reference the right LDIF output to
import/update on your test environment. Then once double happy make
live.

Best way to learn, sorry :-)

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk

Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api