[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Adding administrators to LDAP



I used ldapdelete and removed my sysadmin group that had the
objectClass=posixGroup.  I then added the sysadmin group again with the
objectclass=groupOfNames and added the dn for it in my ACL rules in
slapd.conf.  I then restart ldap, and since I was a 'member=
uid=jhoot,ou=people,dc=nowcom,dc=com' of cn=sysadmin, and tried to change the
password of another user.  The following is what I used to add the sysadmin
entry, what I used as my ACL, and finally what I used to try and change the
password for another user.


[jhoot@plastic scripts]$ ldapadd -D cn=manager,dc=nowcom,dc=com -W
Enter LDAP Password:
cn=sysadmin,ou=Group,dc=nowcom,dc=com
objectClass=groupOfNames
cn=sysadmin
member= uid=jhoot,ou=people,dc=nowcom,dc=com
member= uid=bbrookie,ou=people,dc=nowcom,dc=com
member= uid=ddimick,ou=people,dc=nowcom,dc=com 


# Allow the manager and user to change the user's password
access to attrs=userpassword
        by self write
        by dn="cn=Manager,dc=nowcom,dc=com" write
        by dn="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
        by * search
#       by anonymous auth


[jhoot@plastic scripts]$ ldapmodify -D uid=jhoot,ou=people,dc=nowcom,dc=com -W
-r
Enter LDAP Password:
uid=ddimick,ou=people,dc=nowcom,dc=com
userPassword=denis
 
modifying entry uid=ddimick,ou=people,dc=nowcom,dc=com
ldap_modify: Insufficient access





Vetle Roeim <vetler@opera.com> said:

> * Joseph Hoot
> > What is the best way to add System Administrators to the LDAP server?  I
tried
> > using the following group and adding cn=sysadmin,ou=Group,dc=nowcom,dc=com
to
> > a couple ACL's with write privileges, but that didn't seem to work.  What
I
> > want to do is to be able to add something like the following group and
just
> > add cn=sysadmin,ou=Group,dc=nowcom to the ACLs.  If I do use something
like
> > the following, how do I bind?  Do I bind with
> > uid=jhoot,ou=people,dc=nowcom,dc=com or do I bind with
cn=sysadmin,etc..etc..
> > and just use the passwd from my uid user?
> 
> I'm not familiar with the objectclass 'posixGroup', but I can tell you
> what will work.
> 
> Create a group, cn=sysadmin,ou=Group,dc=nowcom,dc=com, for instance,
> with 'groupOfNames' as the objectclass.
> 
> Then put the dn of the members of this group into the 'member'
> attribute and use the DN of this object in the ACL.
> 
> It should then be possible for the members of the group to bind with
> their own DN's and have the accessrights of the group.
> 
> 
> HTH,
> vr