[Date Prev][Date Next] [Chronological] [Thread] [Top]

Continued: Security question. (fwd)



Ok, here's where I stand now. I still have this in my ldap directory:

cn=Administrators,dc=<my domain>,dc=net
cn=Administrators
objectclass=groupofNames
objectclass=top
member=cn=<member1>,dc=<my domain>,dc=net
member=cn=<member2>,dc=<my domain>,dc=net

I have now have this in my slapd.conf:

defaultaccess read
access to dn="cn=*,dc=<my domain>,dc=net
	by self write
	by dn="cn=Manager,dc=<my domain>,dc=net" write
	by group="cn=Administrators,dc=<my domain>,dc=net" write
	by * read

This still allows Manager all access to the ldap directory, but if I try
to write with member1, I get insufficient access.  Upon looking at the
logs, I see and error code of 50 (the action it tries to perform is a
mod).  One question I was thinking is:  does openldap recognize the
objectclass: groupofNames or does it need to be object: group?  I have
seen both on the net, but the RFC asks for the first one if I remember
correctly.  Any ideas?  Thanks in advance and for all the help given thus
far.

Cliff