--On Tuesday, April 10, 2007 7:40 PM +0200 Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
James Tran writes:
i want to be able to make a group that is authorized to be admins to the ldap database but it seems i cant do it with posixgroups.
Strictly speaking the 'admin' is admin the rootdn given in slapd.conf. But if you mean to give full read and write access:
You can use "sets". They are still marked experimental, but are described in http://www.openldap.org/faq/data/cache/1133.html.
This is all written without testing, but it would be something like this:
access to * by set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid" set="user/objectClass & [posixGroup]"
Or you can just create a normal group...
For example, in my server I have:
dn: cn=ldapAdmin,cn=applications,dc=stanford,dc=edu objectClass: groupOfNames cn: ldapAdmin member: uid=quanah,cn=accounts,dc=stanford,dc=edu
So my bind DN is a member of that group. Then in my ACLs I put:
access to * by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 write by * break
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html