[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL needed write privilege to all subtree of "dc=exadel,dc=com"



Hello guys,
Currently I have ACL in my slapd.conf file:

access to attrs=userPassword,userPKCS12
by self write
by * auth

access to attrs=shadowLastChange

by self write
by * read

access to *
by peername.ip=10.206.179.0%255.255.255.0 read
.....
I need write privilege for my group. I made some changes:

access to attrs=userPassword,userPKCS12
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by self write
by * auth

access to attrs=shadowLastChange
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by self write
by * read

access to dn.subtree="dc=exadel,dc=com"
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by peername.ip=206.169.37.147 read

access to *
by peername.ip=10.206.179.0%255.255.255.0 read

After that users from LDAP_admins group can edit all. But our Password Change System, where users can change their passwords stopping work properly because users can't login.

After I delete 

access to dn.subtree="dc=exadel,dc=com"
by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write
by peername.ip=206.169.37.147 read
Password Change System start work well, but user from LDAP_admin group lose their write permissions.
After that I tried a big amount of configurations options, but have the problem.
Please help!
-- 
With Best Wishes
Andrei Valoshyn
Exadel Inc. 
System Administrator
avaloshyn@exadel.com

CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.