I'd like to grant members of an Administrator group full access to everything in LDAP.
According to the ldap FAQ, the default objectclass is "groupOfNames" and the default attribute checked is "member". To match my config I'd need to change the values to "posixGroup" and "memberUid" respectively. It looks like you can do that with the following syntax:
<who> ::= group[/<objectclass>[/<attrname>][.<style>]]=<pattern>]
I can't find any examples on the web and I've been unsuccessful experimenting with various syntatical permutations. slapd won't start with any of the following:
access to * by group/posixGroup="Admins,ou=Group,dc=example,dc=com" write
access to * by group/posixGroup/memberUid="Admins,ou=Group,dc=example,dc=com" write
I'm running OpenLDAP 2.2.13-2
Has anyone been able to make this work?
TIA, Jason
Ack.
Just found this: http://www.openldap.org/lists/openldap-software/200710/msg00343.html and this: http://www.mail-archive.com/openldap-software@openldap.org/msg08524.html
Looks like other people are trying to work with posixGroups as well.
On 10/26/07, Jason Dearborn wrote:
I'd like to grant members of an Administrator group full access to everything in LDAP.
According to the ldap FAQ, the default objectclass is "groupOfNames" and the default attribute checked is "member". To match my config I'd need to change the values to "posixGroup" and "memberUid" respectively. It looks like you can do that with the following syntax:
<who> ::= group[/<objectclass>[/<attrname>][.<style>]]=<pattern>]
I can't find any examples on the web and I've been unsuccessful experimenting with various syntatical permutations. slapd won't start with any of the following:
access to * by group/posixGroup="Admins,ou=Group,dc=example,dc=com" write
access to * by group/posixGroup/memberUid="Admins,ou=Group,dc=example,dc=com" write
I'm running OpenLDAP 2.2.13-2
Has anyone been able to make this work?
TIA, Jason
On Oct 26, 2007, at 1:42 PM, Jason Dearborn wrote:
Ack.
Just found this: http://www.openldap.org/lists/openldap-software/200710/msg00343.html and this: http://www.mail-archive.com/openldap-software@openldap.org/ msg08524.html
Looks like other people are trying to work with posixGroups as well.
Well, you see a lot of weird things on the web. I wouldn't take this too seriously.
I have not used posixGroup - we use groupOfNames, just like everyone else except the posixGroup heretics and the groupOfUniqueName heretics. But as far as I know, any of these works the same, and your syntax is right.
If you can turn debugging up on a test service, you can watch the whole authorization thing happen in gory detail. This may uncover an issue that has nothing to do with choice of group schema - like, you're getting stuck on another authorization in the configuration, or your member values don't actually match the authenticated names as intended, etc. I would look at that before giving up on your schema, if you have some other reason to need posixGroup. (If you don't, of course, groupOfNames is the Right Way!)
Donn Cave, donn@u.washington.edu
Jason Dearborn wrote:
Ack.
Just found this: http://www.openldap.org/lists/openldap-software/200710/msg00343.html and this: http://www.mail-archive.com/openldap-software@openldap.org/msg08524.html
Looks like other people are trying to work with posixGroups as well.
On 10/26/07, Jason Dearborn wrote:
I'd like to grant members of an Administrator group full access to everything in LDAP.
According to the ldap FAQ, the default objectclass is "groupOfNames" and the default attribute checked is "member". To match my config I'd need to change the values to "posixGroup" and "memberUid" respectively. It looks like you can do that with the following syntax:
<who> ::= group[/<objectclass>[/<attrname>][.<style>]]=<pattern>]
I can't find any examples on the web and I've been unsuccessful experimenting with various syntatical permutations. slapd won't start with any of the following:
access to * by group/posixGroup="Admins,ou=Group,dc=example,dc=com" write
access to * by group/posixGroup/memberUid="Admins,ou=Group,dc=example,dc=com" write
I'm running OpenLDAP 2.2.13-2
Has anyone been able to make this work?
It's impossible because in [rd]ecent releases of OpenLDAP software member attributes can only have distinguishedName (or, unfortunately, nameAndOptionalUID) syntax, or be or inherit from labeledURI, so memberUid is not allowed. The reason is straightforward, if you consider how group membership is designed in LDAP (not just in OpenLDAP): members are listed in grouos by their name (the DN), the only bit that's supposed to be unique.
Many people tried to use memberUid, but I can guarantee they all failed.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
--On Friday, October 26, 2007 1:30 PM -0700 Jason Dearborn jasondearborn@gmail.com wrote:
Has anyone been able to make this work?
Sure, I just created a normal group, like you'll find here:
http://www.stanford.edu/services/directory/openldap/configuration/base-ldif.html
(See the "ldapAdmin" group)
Then see the ACL's here:
http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl.html
Very simple.
By the way, you need to upgrade. You appear to be using RedHat's extremely broken very ancient build. The current release is OpenLDAP 2.3.39, and OpenLDAP 2.4 is close. You are several years behind. I'd suggest Buchan Milne's builds for RedHat or Symas's precompiled OpenLDAP builds.
http://staff.telkomsa.net/packages/ or http://www.symas.com
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org
-
Donn Cave -
Jason Dearborn -
Pierangelo Masarati -
Quanah Gibson-Mount