[Date Prev][Date Next] [Chronological] [Thread] [Top]

Group access control



Hello,

I'm trying to inmplement group access to my LDAP database. I have 
created the following group:

dn: cn=crAdmins,dc=mysite,dc=com
cn: user administrators
objectclass: groupofNames
objectclass: top
member: uid=adminuser,ou=People,dc=mysite,dc=com
member: uid=adminuser2,ou=People,dc=mysite,dc=com

I have the following access control directives in slapd.conf:

access to dn=".*,ou=People,dc=mysite,dc=com"
        by group="cn=crAdmins,dc=mysite,dc=com" write
        by dn="cn=admin,dc=mysite,dc=com" write        
        by * none
access to *
        by dn="cn=admin,dc=mysite,dc=com" write
        by group="cn=crAdmins,dc=mysite,dc=com" read
        by * none

As far as I understand, it should grant write access to any dn under 
base ou=People,dc=mysite,dc=com for dn 
"uid=adminuser,ou=People,dc=mysite,dc=com". However, when I am trying 
to delete dn "uid=exampleuser,ou=People,dc=mysite,dc=com", I get an 
"insufficient access" error.

Would be great if somebody told me what I am missing. Thanks!

--
Tadas Miniotas