[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access control
- To: openldap-technical@openldap.org
- Subject: Access control
- From: Thomas Schweikle <tps@vr-web.de>
- Date: Sun, 30 Jan 2011 23:36:13 +0100
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; de-DE; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
Hi!
I am trying to set up access control for an OpenLDAP server. I'd
like to use a Group to set up users allowed to access and write to
entries inside my tree:
I've created the group:
dn: cn=administrators,dc=example,dc=com
cn: administrators
objectclass: groupOfNames (important for the group acl feature)
member: cn=user1,ou=Users,dc=example,dc=com
member: cn=user2,ou=Users,dc=example,dc=com
in
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=adm,dc=example,dc=com
olcRootPW: ${admpw}
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey
by group.exact="cn=administrators,dc=example,dc=com" write
by dn="cn=adm,dc=example,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: to dn.base=""
by * read
olcAccess: to *
by group.exact="cn=administrators,dc=example,dc=com" write
by dn="cn=adm,dc=example,dc=com" write
by * read
Now trying to access "userPassword" from any user inside the tree
"ou=Users,dc=example,dc=com".
1. The password field is empty -- it should hold a value
2. Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to
write this value. Why does it not work if I log in with user1?
--
Thomas