[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Am I still struggling with ACLs?



Josiah Ritchie a écrit :
On Mon, 2004-07-19 at 04:13, Alexandre Garel wrote:
  
Josiah Ritchie a écrit :

    
I'm trying to make changes to the database as a different user than the
Manager and I am running into problems. I've played with the ACLs a lot
and from what I can tell they are good, but if I change them to just
"access to * by * write" things work as expected. I've been reading tons
of stuff, and must be missing one obvious thing that is assumed or
something. Your help again is appreciated. Here's the issue in detail...

// I'm trying to run this command:
# ldapmodify -W 
-D "uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu"

// I enter this change:
dn: cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
changetype: modify         
add: memberUid
memberUid: JasonStroup

// And get this response:
modifying entry "cn=Domain Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu"
ldapmodify: update failed: cn=Domain
Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
ldap_modify: Insufficient access (50)

// I'm using the following ACLs:

access to attr=userPassword
       by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
       by group.exact="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
       by self write
       by anonymous auth
       by * none break
 

access to *
       by dn.base="cn=Manager,dc=cougarnet,dc=bible,dc=edu" write
       by group.exact="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write
       by self write
       by * read
 

allow bind_v2

// uid=JosiahRitchie,ou=People,dc=cougarnet,dc=bible,dc=edu is listed as
a memberUid attr in cn=Domain
Users,ou=Groups,dc=cougarnet,dc=bible,dc=edu
 

      
It seems that by default openldap except a group of name with attribute 
member. If you use a different objectClass and attribute for members 
(memberUid), you shall precise it 
group[/<objectclass>[/<attrname>]][.<style>]=<pattern> (see slapd.access).
    

So are you saying I need to write the ACL like this:
access to * by group/posixGroup/memberUid="cn=Domain
Admins,ou=Groups,dc=cougarnet,dc=bible,dc=edu" write

  
Yes, but I just refer to the documentation since I never use it myself.
What is the default object class that would not require me to do it this
way?
  
'groupOfNames' with attribute 'member' according to  http://www.openldap.org/faq/data/cache/452.html
Thanks,
JSR/