Re: posixgroup and groupofnames

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, April 10, 2007 7:40 PM +0200 Hallvard B Furuseth 
<h.b.furuseth@usit.uio.no> wrote:

> James Tran writes:
> > i want to be able to make a group that is authorized to be admins to the
> > ldap database but it seems i cant do it with posixgroups.
>
> Strictly speaking the 'admin' is admin the rootdn given in slapd.conf.
> But if you mean to give full read and write access:
>
> You can use "sets".  They are still marked experimental, but are
> described in <http://www.openldap.org/faq/data/cache/1133.html>.
>
> This is all written without testing, but it would be something like
> this:
>
> access to *
>   by set="user/uid &
> [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
> set="user/objectClass & [posixGroup]"

Or you can just create a normal group...

For example, in my server I have:

dn: cn=ldapAdmin,cn=applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: ldapAdmin
member: uid=quanah,cn=accounts,dc=stanford,dc=edu


So my bind DN is a member of that group.  Then in my ACLs I put:

access to *
   by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 write
   by * break


--Quanah

--
Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html