Re: ACL question

[Jukka Hienola <jukka.hienola@iki.fi>]

Buchan Milne wrote:

> I assume this is for use by samba.
>
> But, what dn is actually going to make these changes? Is it *really* the DN of 
> real users (members of the samba group Domain Admins), or is it using the DN 
> you have configured for samba/smbldap-tools (or similar) etc (with samba 
> controlling the use of this dn via rights).

In my case it is really DN of real users. People in Samba group Domain 
Admins are granted an access to do what I described above (with 
smbldap-tools), but what I really want is that all DNs in group Domain 
Admins would have similar rights also when performing similar actions on 
command line with ldap{search|add|modify|delete} commands, or more 
precisely I want these people to access my LDAP directory with phpldapadmin.

 > Well, I instead use a groupOfNames cn=Domain Controllers, have DN's 
for each
> host, and add those as member's of cn=Domain Controllers, and give that group 
> rights to create users.
>
> You may be interested in this example:
> http://cvs.mandriva.com/cgi-bin/cvsweb.cgi/SPECS/openldap/slapd.access.conf

Ok, I'll do that. Thanks!

> Which also shows that you don't need a huge list of attributes, use the 
> objectclass instead (ie @sambaSamAccount).
>
> Note that the samba aspects of this are quite off-topic ...
>
> Regards,
> Buchan

Cheers,

Jukka Hienola