I have a problem by configuring access to an shared address book.
Users and groups are defined in following structure:
dc=mycompany,dc=org |--ou=abook | |----cn=adressbookentry1 | |----cn=adressbookentry2 | |----...... |--ou=groups | |----cn=group1 | |----cn=abook_rw | |----cn=abook_ro | |----........ |--ou=users | |----uid=user1(member of group "abook_rw") | |----uid=user2(member of group "abook_ro") | |----.........
Now users of group "abook_rw" should be able to write/edit an entry into "ou=abook", but members of "abook_ro" should have read-only access. I tried this "slapd.conf" config entry:
access to dn.subtree="ou=abook,dc=mycompany,dc=org" by group="cn=abook_rw,dc=mycompany,dc=org" write by group="cn=abook_ro,dc=mycompany,dc=org" read
But only "ldaproot" can access "ou=abook" by using ldap- client software (KAdressbook, LDAP- Editor)! What is wrong?
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
I have a problem by configuring access to an shared address book.
Users and groups are defined in following structure:
dc=mycompany,dc=org |--ou=abook | |----cn=adressbookentry1 | |----cn=adressbookentry2 | |----...... |--ou=groups | |----cn=group1 | |----cn=abook_rw | |----cn=abook_ro | |----........ |--ou=users | |----uid=user1(member of group "abook_rw") | |----uid=user2(member of group "abook_ro") | |----.........
Now users of group "abook_rw" should be able to write/edit an entry into "ou=abook", but members of "abook_ro" should have read-only access. I tried this "slapd.conf" config entry:
access to dn.subtree="ou=abook,dc=mycompany,dc=org" by group="cn=abook_rw,dc=mycompany,dc=org" write by group="cn=abook_ro,dc=mycompany,dc=org" read
But only "ldaproot" can access "ou=abook" by using ldap- client software (KAdressbook, LDAP- Editor)! What is wrong?
Try debugging with level ACL.
-Dieter
Dnia czwartek, 10 lipca 2008, Sebastian Reinhardt napisał:
I have a problem by configuring access to an shared address book.
Users and groups are defined in following structure:
dc=mycompany,dc=org
|--ou=abook | | |----cn=adressbookentry1 | |----cn=adressbookentry2 | |----...... | |--ou=groups | | |----cn=group1 | |----cn=abook_rw | |----cn=abook_ro | |----........ | |--ou=users | | |----uid=user1(member of group "abook_rw") | |----uid=user2(member of group "abook_ro") | |----.........
Now users of group "abook_rw" should be able to write/edit an entry into "ou=abook", but members of "abook_ro" should have read-only access. I tried this "slapd.conf" config entry:
access to dn.subtree="ou=abook,dc=mycompany,dc=org" by group="cn=abook_rw,dc=mycompany,dc=org" write by group="cn=abook_ro,dc=mycompany,dc=org" read
Your group DNs seem to be wrong. Shouldn't that be:
access to dn.subtree="ou=abook,dc=mycompany,dc=org" by group="cn=abook_rw,ou=groups,dc=mycompany,dc=org" write by group="cn=abook_ro,ou=groups,dc=mycompany,dc=org" read
-- Mateusz
openldap-software@openldap.org
-
Dieter Kluenter -
Mateusz Kijowski -
Sebastian Reinhardt