I should change the access rule in the
conf file to say:
access * by dn.group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us"
write
My object for the organizationalRole
is exactly as you have listed below, so on that I was on the right path.
----- Forwarded by Mike
Carpenter/Arnold Industries on 06/06/2003 02:08 PM -----
M Butcher <mbutcher@grcomputing.net>
06/06/2003 12:41 PM
To:
Mike Carpenter <MCarpenter@roadwaynextday.com>
cc:
openldap-software@OpenLDAP.org
Subject:
Re: slapd.conf Access Question
If I understand you correctly, cn=Admins,o=myorg,c=us
is a role, but
your rule is treating it as a base under which DN's would belong (e.g.
uid=me,cn=Admins,o=myorg,c=us). What you want is a rule that searches
the attributes of that DN and tests for a matching roleOccupant, like
this:
by group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us"
write
What this rule says is that "cn=Admin..." is a group of objectclass
organizationalRole, where each member is identified by the attribute
roleOccupant.
So... your record should look like this (stripped down -- you prob.
want/need more attributes):
On Fri, 2003-06-06 at 08:16, Mike Carpenter wrote:
> I just wanted to take a moment to thank everyone who has answered
my
> questions. You have really helped get my LDAP project off the
ground.
>
> However, now another question has arisen.
>
> In the slapd.conf file, I am trying to set-up the access rights so
my
> administrators don't need to authenticate using the rootdn.
>
> My access rules are as follows:
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn.base="cn=Admins,o=myorg,c=us"
write
> by * none
>
> access to *
> by self write
> by dn.base="cn=Admins,o=myorg,c=us"
write
> by * read
>
> cn=Admins,o=myorg,c=us being an organization role with several
> roleoccupant attributes, each one containing a DN of a directory
> administrator.
>
> It appears that the 1st access rule is working correctly, since people
> in the group can see and manage the password while people outside
the
> group can not see the attribute, however the second access rule is
not
> working at all. It appears that everyone only has read access
except
> the rootdn of course.
>
> Thanks again.
>
--
M Butcher <mbutcher@grcomputing.net>