Hi
You could insert something like this:
to dn.exact="ou=somedomain,dc=example,dc=com" attrs=children by group="cn=admingroup,ou=ldap,dc=example,dc=com" write stop by * break to dn.children="ou=somedomain,dc=example,dc=com" attrs=@inetOrgPerson,@organizationalUnit,@posixAccount, @shadowAccount,entry by group="cn=admingroup,ou=ldap,dc=example,dc=com" write stop by * break
This will grant administrative rights by the specified group to:
- the "children" attr of the entry: ou=somedomain,dc=example,dc=com - all attrs of children of: ou=somedomain,dc=example,dc=com in the specified objectClasses plus the entries itself - all other users/groups will continue with ACL evaluation (by * break)
This will prevent modifying the entry: ou=somedomain,dc=example,dc=com If you do not need that, replace the two ACLs with:
to dn.subtree=ou=somedomain,dc=example,dc=com" ...
But you have to add these ACLs before the rule with: to attrs=userPassword ... otherwise if you add it at the end, the "by * none" will prevent all access.
ou=ldap is just an ou that contains my slapd admin groups, for example:
dn: ou=ldap,dc=example,dc=com objectClass: organizationalUnit ou: ldap
dn: cn=admingroup,ou=ldap,dc=example,dc=com objectClass: groupOfNames member: uid=someuser,ou=somedomain,dc=example,dc=com cn: admingroup
Hope that helps a bit with the bleeding :) And carefully test your ACLs, I had to do a lot of try and error to get it right.
Kind regards Sven
On 03/18/2018 04:54 PM, Lists Nethead wrote:
Hi all,
First post here, and it is asking for advice on an access rule. Setup is,
+-dc=example,dc=com +--ou=somedomain +---uid=someuser,ou=somedomain,dc=example,dc=com +--ou=someotherdomain +---uid=otheruser,ou=someotherdomain,dc=example,dc=com +--ou=yetanotherdomain
The ruleset so far that seems to work is
to dn.base="" by * read to dn.base="cn=subschema" by * read to attrs=userPassword by dn.base="cn=admin,dc=example,dc=com" write by dn.base="uid=otheradmin,ou=System,dc=example,dc=com" write by self write by anonymous auth by * none to * by dn.base="uid=someadmin,ou=System,dc=example,dc=com" w rite by self read by peername.ip=<address>%255.255.255.0 read by peern ame.ip=<address>%255.255.255.0 read by peername.ip=<address>%255.255.2 55.0 read by users tls_ssf=256 read by * none
What I want next is that "uid=someuser,ou=somedomain,dc=example,dc=com" should be able to administer accounts in "ou=somedomain" and likewise for other "ou=".
My guess is that a group with admin accounts is the way to go but right now my eyes are bleeding after reading the whole day about access rules...
Thanks,
//per