[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Continued: Security question. (fwd)
Ok, here's where I stand now. I still have this in my ldap directory:
cn=Administrators,dc=<my domain>,dc=net
cn=Administrators
objectclass=groupofNames
objectclass=top
member=cn=<member1>,dc=<my domain>,dc=net
member=cn=<member2>,dc=<my domain>,dc=net
I have now have this in my slapd.conf:
defaultaccess read
access to dn="cn=*,dc=<my domain>,dc=net
by self write
by dn="cn=Manager,dc=<my domain>,dc=net" write
by group="cn=Administrators,dc=<my domain>,dc=net" write
by * read
This still allows Manager all access to the ldap directory, but if I try
to write with member1, I get insufficient access. Upon looking at the
logs, I see and error code of 50 (the action it tries to perform is a
mod). One question I was thinking is: does openldap recognize the
objectclass: groupofNames or does it need to be object: group? I have
seen both on the net, but the RFC asks for the first one if I remember
correctly. Any ideas? Thanks in advance and for all the help given thus
far.
Cliff