[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group administration ACL

To: Stephen <sdw@shineonline.co.nz>
Subject: Re: Group administration ACL
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 06 Dec 2002 07:01:44 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3DEFFC22.1090504@shineonline.co.nz>
Organization:
References: <3DEFFC22.1090504@shineonline.co.nz>

fre, 2002-12-06 kl. 02:23 skrev Stephen:
> I'd like to allow a group of administrators to maintain a portion of the 
> LDAP tree. The OpenLDAP document provides a hint on how to do this, but 
> no examples, i.e.
> 
>         dnattr=<dn-valued attribute name
> 
> Here is an example of what I want to do ...
> For instance with a goup of unique names:
> 
> dn: cn=Directory Administrators, ou=Groups, o=airius.com
> cn: Directory Administrators
> objectclass: top
> objectclass: groupofuniquenames
> ou: Groups
> uniquemember: uid=kvaughan, ou=People, o=airius.com
> uniquemember: uid=rdaugherty, ou=People, o=airius.com
> uniquemember: uid=hmiller, ou=People, o=airius.com

> The ACL commonly provided in slapd.conf is
>    access to attr=userPassword
>         by self write
>         by anonymous auth
>         by * none
> 
> So what would the ACL look like if access to userPassword was also 
> allowed for everyone in the LDAP groupofuniquenames "Directory 
> Administrators"?


I have a group for managers who can change other attributes than
userPassword for members in given groups. I use groupOfNames, but the
principle is the same. It works well:

 by group="cn=peoplemanagers,ou=groups,dc=example,dc=com" dnattr=member
write

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- Group administration ACL
  - From: Stephen <sdw@shineonline.co.nz>

Prev by Date: Re: Group administration ACL
Next by Date: Re: Symlinks in OpenLDAP
Index(es):
- Chronological
- Thread