[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Again ACL problems

To: openldap-software@openldap.org
Subject: Re: Again ACL problems
From: Mateusz Kijowski <mateusz.kijowski@gmail.com>
Date: Mon, 14 Jul 2008 12:57:18 +0200
In-reply-to: <48765E40.4030000@lmv-hartmannsdorf.de>
References: <48765E40.4030000@lmv-hartmannsdorf.de>
User-agent: PLD Linux KMail/1.9.9

Dnia czwartek, 10 lipca 2008, Sebastian Reinhardt napisaÅ:
> I have a problem by configuring access to an shared address book.
>
> Users and groups are defined in following structure:
>
> dc=mycompany,dc=org
>
>   |--ou=abook
>   |
>   |           |----cn=adressbookentry1
>   |           |----cn=adressbookentry2
>   |           |----......
>   |
>   |--ou=groups
>   |
>   |           |----cn=group1
>   |           |----cn=abook_rw
>   |           |----cn=abook_ro
>   |           |----........
>   |
>   |--ou=users
>   |
>   |           |----uid=user1(member of group "abook_rw")
>   |           |----uid=user2(member of group "abook_ro")
>   |           |----.........
>
> Now users of group "abook_rw" should be able to write/edit an entry into
> "ou=abook", but members of "abook_ro" should have read-only access.
> I tried this "slapd.conf" config entry:
>
> access to dn.subtree="ou=abook,dc=mycompany,dc=org"
>               by group="cn=abook_rw,dc=mycompany,dc=org" write
>               by group="cn=abook_ro,dc=mycompany,dc=org" read

Your group DNs seem to be wrong. Shouldn't that be:

access to dn.subtree="ou=abook,dc=mycompany,dc=org"
               by group="cn=abook_rw,ou=groups,dc=mycompany,dc=org" write
               by group="cn=abook_ro,ou=groups,dc=mycompany,dc=org" read

--
Mateusz

Attachment: signature.asc
Description: This is a digitally signed message part.

References:
- Again ACL problems
  - From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>

Prev by Date: Re: Problems with SASL EXTERNAL and ldapi:// on solaris
Next by Date: slapo-unique
Index(es):
- Chronological
- Thread