[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Am I still struggling with ACLs?
On Mon, 2004-07-19 at 04:13, Alexandre Garel wrote:
> Josiah Ritchie a écrit :
>
> >I'm trying to make changes to the database as a different user than the
> >Manager and I am running into problems. I've played with the ACLs a lot
> >and from what I can tell they are good, but if I change them to just
> >"access to * by * write" things work as expected. I've been reading tons
> >of stuff, and must be missing one obvious thing that is assumed or
> >something. Your help again is appreciated. Here's the issue in detail...
> >
> >// I'm trying to run this command:
> ># ldapmodify -W
> > -D "uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu"
> >
> >// I enter this change:
> >dn: cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
> >changetype: modify
> >add: memberUid
> >memberUid: JasonStroup
> >
> >// And get this response:
> >modifying entry "cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu"
> >ldapmodify: update failed: cn=Domain
> >Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
> >ldap_modify: Insufficient access (50)
> >
> >// I'm using the following ACLs:
> >
> >access to attr=userPassword
> > by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
> > by group.exact="cn=Domain
> >Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
> > by self write
> > by anonymous auth
> > by * none break
> >
> >
> >access to *
> > by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
> > by group.exact="cn=Domain
> >Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
> > by self write
> > by * read
> >
> >
> >allow bind_v2
> >
> >// uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu is listed as
> >a memberUid attr in cn=Domain
> >Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
> >
> >
> It seems that by default openldap except a group of name with attribute
> member. If you use a different objectClass and attribute for members
> (memberUid), you shall precise it
> group[/<objectclass>[/<attrname>]][.<style>]=<pattern> (see slapd.access).
So are you saying I need to write the ACL like this:
access to * by group/posixGroup/memberUid="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
What is the default object class that would not require me to do it this
way?
Thanks,
JSR/