[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: posixgroup and groupofnames
--On Tuesday, April 10, 2007 7:40 PM +0200 Hallvard B Furuseth
<h.b.furuseth@usit.uio.no> wrote:
James Tran writes:
i want to be able to make a group that is authorized to be admins to the
ldap database but it seems i cant do it with posixgroups.
Strictly speaking the 'admin' is admin the rootdn given in slapd.conf.
But if you mean to give full read and write access:
You can use "sets". They are still marked experimental, but are
described in <http://www.openldap.org/faq/data/cache/1133.html>.
This is all written without testing, but it would be something like
this:
access to *
by set="user/uid &
[cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
set="user/objectClass & [posixGroup]"
Or you can just create a normal group...
For example, in my server I have:
dn: cn=ldapAdmin,cn=applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: ldapAdmin
member: uid=quanah,cn=accounts,dc=stanford,dc=edu
So my bind DN is a member of that group. Then in my ACLs I put:
access to *
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
by * break
--Quanah
--
Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html