[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Fw: slapd.conf Access Question
You'll want to change both rules ("access to *" and "access to
attr=userPassword"). Note that the rule does not need (maybe doesn't
allow) 'dn' in the by line.
Matt
On Fri, 2003-06-06 at 12:12, Mike Carpenter wrote:
> I believe so, but just to make sure...
>
> I should change the access rule in the conf file to say:
> access * by
> dn.group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us"
> write
>
> My object for the organizationalRole is exactly as you have listed
> below, so on that I was on the right path.
> ----- Forwarded by Mike Carpenter/Arnold Industries on 06/06/2003
> 02:08 PM -----
>
> M Butcher
> <mbutcher@grcomputing.net>
>
> 06/06/2003 12:41 PM
>
> To: Mike
> Carpenter
> <MCarpenter@roadwaynextday.com>
> cc:
> openldap-software@OpenLDAP.org
> Subject:
> Re: slapd.conf Access
> Question
>
>
> If I understand you correctly, cn=Admins,o=myorg,c=us is a role, but
> your rule is treating it as a base under which DN's would belong (e.g.
> uid=me,cn=Admins,o=myorg,c=us). What you want is a rule that searches
> the attributes of that DN and tests for a matching roleOccupant, like
> this:
>
> by group/organizationalRole/roleOccupant="cn=Admins,o=myorg,c=us"
> write
>
> What this rule says is that "cn=Admin..." is a group of objectclass
> organizationalRole, where each member is identified by the attribute
> roleOccupant.
>
> So... your record should look like this (stripped down -- you prob.
> want/need more attributes):
>
> dn: cn=Admins,o=myorg,c=us
> objectClass: organizationalRole
> cn: Admins
> roleOccupant: cn=me,o=myorg,c=us
> roleOccupant: cn=you,o=myorg,c=us
> ...
>
> Does that make sense?
>
> Matt
>
>
> On Fri, 2003-06-06 at 08:16, Mike Carpenter wrote:
> > I just wanted to take a moment to thank everyone who has answered my
> > questions. You have really helped get my LDAP project off the
> ground.
> >
> > However, now another question has arisen.
> >
> > In the slapd.conf file, I am trying to set-up the access rights so
> my
> > administrators don't need to authenticate using the rootdn.
> >
> > My access rules are as follows:
> >
> > access to attr=userPassword
> > by self write
> > by anonymous auth
> > by dn.base="cn=Admins,o=myorg,c=us" write
> > by * none
> >
> > access to *
> > by self write
> > by dn.base="cn=Admins,o=myorg,c=us" write
> > by * read
> >
> > cn=Admins,o=myorg,c=us being an organization role with several
> > roleoccupant attributes, each one containing a DN of a directory
> > administrator.
> >
> > It appears that the 1st access rule is working correctly, since
> people
> > in the group can see and manage the password while people outside
> the
> > group can not see the attribute, however the second access rule is
> not
> > working at all. It appears that everyone only has read access
> except
> > the rootdn of course.
> >
> > Thanks again.
> >
> --
> M Butcher <mbutcher@grcomputing.net>
--
M Butcher <mbutcher@grcomputing.net>