I use openLDAP already for years to store my users so I have to define them only once. The users can logon to both Linux and Windows (samba). Now I want to add address-books and manage the access rights.
I have a problem with the usage of groups in an access control. I want to gave addressbooks in my LDAP but they should not be accessible by everybody. I used http://www.openldap.org/faq/data/cache/52.html to configure openLDAP but it does not seem to work. I have created a group like this:
dn: cn=abk-admin,ou=Roles,dc=example,dc=com objectClass: groupOfNames member: cn=My ENTRY,ou=People,dc=example,dc=com cn: abk-admin
and an address-book like this:
dn: ou=abk1,ou=Addressbooks,dc=example,dc=com ou: abk1 objectClass: organizationalUnit objectClass: top
(Both entries are output of slapcat. I did not put in the attributes like creatorsName and entryUUID)
In the slapd:conf I have the following access rules:
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by dn="cn=admin,dc=example,dc=com" write by dn="cn=proxyuser,dc=example,dc=com" read by anonymous auth by self write by * none
access to attrs=shadowLastChange,shadowMax by self write by * read
access to dn.base="" by * read
access to * by dn="cn=admin,dc=example,dc=com" write by * read
access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read by * none
I searched around and changed dn.children by dn.subtree and dn.one but the result is the same. I can read the entries but I cannot insert or delete an entry. I can only do this with admin but only if the line for admin is defined. What did I do wrong or understood wrong? I tried to find the answer on the internet but was not able :(
OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39) Debian 6.0.6
Regards,
Marco