[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: posixgroup and groupofnames





--On Tuesday, April 10, 2007 7:40 PM +0200 Hallvard B Furuseth <h.b.furuseth@usit.uio.no> wrote:

James Tran writes:
i want to be able to make a group that is authorized to be admins to the
ldap database but it seems i cant do it with posixgroups.

Strictly speaking the 'admin' is admin the rootdn given in slapd.conf. But if you mean to give full read and write access:

You can use "sets".  They are still marked experimental, but are
described in <http://www.openldap.org/faq/data/cache/1133.html>.

This is all written without testing, but it would be something like
this:

access to *
  by set="user/uid &
[cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
set="user/objectClass & [posixGroup]"

Or you can just create a normal group...

For example, in my server I have:

dn: cn=ldapAdmin,cn=applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: ldapAdmin
member: uid=quanah,cn=accounts,dc=stanford,dc=edu


So my bind DN is a member of that group. Then in my ACLs I put:

access to *
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 write
by * break



--Quanah

--
Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html