[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL syntax for delegating a subdomain to a group
- To: openldap-technical@openldap.org
- Subject: ACL syntax for delegating a subdomain to a group
- From: Brian Riffle <quantumriff@gmail.com>
- Date: Wed, 18 Jul 2012 11:41:36 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=tmbXhxvY5EoaVgGq/z/mBQkN7g6zxUGnwi5AKmaxXvw=; b=vL4QgtqHpRaB+th7dW2oS/cZpcAcdK0eumze4xyP1UdhaADOOSyZoBkRXm/H0sgtJE vg1WdfFrJg8vqrTdcZ63bCAdBDay3iXCX8fgZn/FLNrkt6SXFNyo5a1Z08EVsc5Jh3hv W/d25s7Bb3cDDu2IwfBMUk/aJW+1Atae8DPDLXi73JJMwHIofUSdhypnPk+Kf5B0Y7Q5 HRko4dArz8ONQF7L2HUFI4RUFbr32VLLeGF35kqkwYALdeCpJKZPls3A7yyNZ0BUDfNi s4RisX/aHP1o8hNQXQ/fiWX5+wLh78PSV/hLwHIGTCcCpry9WVfW7A93Rw4GY0WRTUdS 8gwQ==
I am struggling to find documentation on how to use the cn=config syntax for delegating a subdomain to a group of users.
In my situation, I have an OU setup for customer accounts. (ou=subdomain,ou=People,dc=example,dc=com). I can currently edit that if I log in as a user that is our admin OU, ou=admins,dc=example,dc=com. However, I don't want to give our front facing support that much access.
basically, I want the following:
- any user can update their info.
- anyone in ou=admin can update anything
- anybody in group cn=cust_support,ou=group,dc=example,dc=com can do anything to anyone in the ou=subdomain,ou=People OU. (create/edit/update/delete)
However, I am struggling to get the syntax right. I have tried many permutations, and the most recent example was to use these rules for setting olcAccess in the o=config database:
{0}to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=com" write by group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write by dn.children="ou=admins,dc=example,dc=com" write by group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by * read
I have tried making cn=cust_support,ou=group,dc=example,dc=com both a posixGroup, and a groupOfNames. Both of them, when I go to save a new users, I get "insufficient access"
If anyone could guide me in the correct direction, it would be greatly appreciated..
thanks!
Brian