[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Problem



On Thu, 02 Nov 2000, Jerry Han wrote:
> Hi,
> 
> I'm using OpenLDAP 1.2.x.  I want to grant some users have the super-user
> like privilege.  So, I create a DN - "cn=Directory
> Administrators,ou=Group,o=SJNS,c=CN", which contain the userid of the proper
> users.
> 
> dn: cn=Directory Administrators, ou=Group, o=SJNS, c=CN
> memberuid: usr1
> memberuid: usr2
> memberuid: usr3
> objectclass: posixGroup
> objectclass: top
> cn: Directory Administrators

Change

objectclass: posixGroup
to
objectclass: groupOfNames

> And I have these ACL in slapd.conf file.
> #################################################################
> defaultaccess read
> access to attr=userpassword,sn,maildrop
>  by self write
>  by dn="cn=Directory Administrators,o=SJNS,c=CN" write
>  by dn="cn=Directory Administrators,ou=Group,o=SJNS,c=CN" write
>  by * read
> 
> #################################################################

Change your slapd.conf to reflect the following:

access to *                                                                   
by group="cn=Directory Administrators,o=SJNS,c=CN" write

>  The problem is, when the user use their own DN
> ("uid=usr1,ou=people,o=SJNS,c=CN") bind to the ldap server. they still
> cannot modify any entry except there own DN.

Restart slapd so the new configuration will be read. 
 
Also, on your defaultaccess of read... It may not be such a good idea to give
everybody read permissions to userpassword. Especially if you are storing
cleartext passwords. 

Mike