[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf Access Question



If I understand you correctly, cn=Admins,o=myorg,c=us is a role, but
your rule is treating it as a base under which DN's would belong (e.g.
uid=me,cn=Admins,o=myorg,c=us). What you want is a rule that searches
the attributes of that DN and tests for a matching roleOccupant, like
this:

by group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us" write

What this rule says is that "cn=Admin..." is a group of objectclass
organizationalRole, where each member is identified by the attribute
roleOccupant.

So... your record should look like this (stripped down -- you prob.
want/need more attributes):

dn: cn=Admins,o=myorg,c=us
objectClass: organizationalRole
cn: Admins
roleOccupant: cn=me,o=myorg,c=us
roleOccupant: cn=you,o=myorg,c=us
...

Does that make sense?

Matt


On Fri, 2003-06-06 at 08:16, Mike Carpenter wrote:
> I just wanted to take a moment to thank everyone who has answered my
> questions.  You have really helped get my LDAP project off the ground.
> 
> However, now another question has arisen.
> 
> In the slapd.conf file, I am trying to set-up the access rights so my
> administrators don't need to authenticate using the rootdn.
> 
> My access rules are as follows:
> 
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by dn.base="cn=Admins,o=myorg,c=us" write
>         by * none
> 
> access to *
>         by self write
>         by dn.base="cn=Admins,o=myorg,c=us" write
>         by * read
> 
> cn=Admins,o=myorg,c=us being an organization role with several
> roleoccupant attributes, each one containing a DN of a directory
> administrator.
> 
> It appears that the 1st access rule is working correctly, since people
> in the group can see and manage the password while people outside the
> group can not see the attribute, however the second access rule is not
> working at all.   It appears that everyone only has read access except
> the rootdn of course.   
> 
> Thanks again.
>  
-- 
M Butcher <mbutcher@grcomputing.net>