RE: unknown LDAP result code (-30990): using groups to manage ACL's

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Friday, January 30, 2004 11:28 AM -0800 Chris Paul 
<chris.paul@sentinare.net> wrote:


> Now, as someone a bit green with OpenLDAP, I'm wondering what would be a
> workaround or another way to create some roles in OpenLDAP?
>
> What I'd like to do is be able to put a user in a "admin group". Or
> populate another object (organizationalRole?) with admins. I don't want
> to have to modify an ACL to add an administrator.
>
> Any recipes anyone care to share?


We use groups. ;) But I haven't used back-ldap.

We basically have:

dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: supervisor
member: uid=quanah,cn=Accounts,dc=stanford,dc=edu

# $Id: slapd.acl,v 1.126 2004/01/30 06:20:23 quanah Exp $
# ACL include file for slapd
#

access to dn.base=""
       by * read

access to dn.base="cn=monitor"
       by * read

access to *
       by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 write
       by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
       by * break


[rest of acl's]

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html