I am struggling to find documentation on how to use the cn=config syntax for delegating a subdomain to a group of users.
In my situation, I have an OU setup for customer accounts. (ou=subdomain,ou=People,dc=example,dc=com). I can currently edit that if I log in as a user that is our admin OU, ou=admins,dc=example,dc=com. However, I don't want to give our front facing support that much access.
basically, I want the following:
- any user can update their info.
- anyone in ou=admin can update anything
- anybody in group cn=cust_support,ou=group,dc=example,dc=com can do anything to anyone in the ou=subdomain,ou=People OU. (create/edit/update/delete)
However, I am struggling to get the syntax right. I have tried many permutations, and the most recent example was to use these rules for setting olcAccess in the o=config database:
{0}to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=com" write by group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write by dn.children="ou=admins,dc=example,dc=com" write by group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by * read
I have tried making cn=cust_support,ou=group,dc=example,dc=com both a posixGroup, and a groupOfNames. Both of them, when I go to save a new users, I get "insufficient access"
If anyone could guide me in the correct direction, it would be greatly appreciated..
thanks!
Brian