On Saturday, 14 May 2011 01:16:38 Juan Diego Calle wrote:
Hi,
For weeks I have being reading about openldap, in the mailing lists, etc. Basically I have Samba with ldap and I need a GUI to administrate the users(I can use smbldap-tools and a shell, but not some of the administrators). I installed phpldapadmin, and I can log in with the user "Administrator", but I can change, remove or add any user or anything. I have read about people that have similar configurations to mine and solve this problem. Besides the user interface everything seems to work fine, the machines are logged to the domain, the samba server is a PDC. As far as I understand I need to create an ACL in /etc/openldap/slapd.conf for the group that is going to administrate, and the problem is because I am trying to grant permisions to the Group "Domain Admins", and domain admins is more like samba group.
In my opinion, the easiest solution for you is to ensure that your samba / smbldap-tools configuration is correct. In this case, your "Domain Admins" should be able to add users and groups etc. via 'User Manager for Domains' (usrmgr.exe)[1]. This will work by NT RPC calls to samba. Only samba's 'admin dn' should need access modify the entries for the user accounts.
Please discuss any issues between samba and "User Manager for Domains" on the samba list.
If you want to continue to pursue OpenLDAP ACLs, please read 'man slapd.access' carefully, should have noticed the problem in your ACLs.
access to attrs=userpassword by self write by anonymous auth by * none
access to * by self write by users read by anonymous read by * none
The line above has already matched everything, so the next line has nothing to operate on ...
access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write
1. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c0011ab8-3178-47... a791-eafba0f42de2
Regards, Buchan