Re: Continued: Security question. (fwd)

[blair christensen <blair@bsd.uchicago.edu>]

On Fri, Jun 30, 2000 at 09:25:50AM -0400, Cliff Friedel wrote:
> Ok, here's where I stand now. I still have this in my ldap directory:
> 
> cn=Administrators,dc=<my domain>,dc=net
> cn=Administrators
> objectclass=groupofNames
> objectclass=top
> member=cn=<member1>,dc=<my domain>,dc=net
> member=cn=<member2>,dc=<my domain>,dc=net
> 
> I have now have this in my slapd.conf:
> 
> defaultaccess read
> access to dn="cn=*,dc=<my domain>,dc=net
> 	by self write
> 	by dn="cn=Manager,dc=<my domain>,dc=net" write
> 	by group="cn=Administrators,dc=<my domain>,dc=net" write
> 	by * read
> 
> This still allows Manager all access to the ldap directory, but if I try
> to write with member1, I get insufficient access.  Upon looking at the
> logs, I see and error code of 50 (the action it tries to perform is a
> mod).  One question I was thinking is:  does openldap recognize the
> objectclass: groupofNames or does it need to be object: group?  I have
> seen both on the net, but the RFC asks for the first one if I remember
> correctly.  Any ideas?  Thanks in advance and for all the help given thus
> far.
> 

i used the following to get group permissions to work:

access to <attribute>
        by group/posixgroup/memberuid="cn=<group name>,ou=group,<domain components>" write
	<snip>

where my groups are 'posixGroups' and the members of the groups are
listed in the 'memberUID' attribute.  you may want to try a similiar
technique.

blair christensen