Hi,
I've had OpenLDAP set up for a while now such that users can create groups and manage the groups that they've created. I've achieved this by creating a new objectClass (called "managedGroup") which adds the "manager" attribute, and then I've set up ACLs like this:
olcAccess: {14}to dn.base="ou=Groups,dc=whatever" attrs=children by users add by * break olcAccess: {15}to dn.subtree="ou=Groups,dc=whatever" filter="(&(objectClass=posixGroup)(objectClass=managedGroup)(gidNumber>=1000))" attrs=entry by users add by * break olcAccess: {16}to dn.subtree="ou=Groups,dc=whatever" attrs=cn,manager,memberUid,description by set.exact="this/manager & user" write by * break
I also have the "unique" overlay installed to prevent multiple groups from having the same "cn" or "gidNumber".
I've got a request from users to be able to re-name their groups now too. I tried changing "by users add" to "by users write" in clause 14, and added the "entry" attribute to "attrs=" in clause 16, but the server is still not letting users re-name their groups. The output of the log file looks like this:
slapd[44745]: => acl_get: [16] attr entry slapd[44745]: => acl_mask: access to entry "cn=test-1234,ou=Groups,dc=whatever", attr "entry" requested slapd[44745]: => acl_mask: to all values by "uid=g-guest,ou=people,dc=whatever", (=0) slapd[44745]: <= check a_dn_pat: users slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop) slapd[44745]: <= acl_mask: [1] mask: add(=arscxd) slapd[44745]: => slap_access_allowed: write access denied by add(=arscxd) slapd[44745]: => access_allowed: no more rules
What am I missing?
Tim Gustafson wrote:
Hi,
I've had OpenLDAP set up for a while now such that users can create groups and manage the groups that they've created. I've achieved this by creating a new objectClass (called "managedGroup") which adds the "manager" attribute, and then I've set up ACLs like this:
olcAccess: {14}to dn.base="ou=Groups,dc=whatever" attrs=children by users add by * break olcAccess: {15}to dn.subtree="ou=Groups,dc=whatever" filter="(&(objectClass=posixGroup)(objectClass=managedGroup)(gidNumber>=1000))" attrs=entry by users add by * break olcAccess: {16}to dn.subtree="ou=Groups,dc=whatever" attrs=cn,manager,memberUid,description by set.exact="this/manager & user" write by * break
I also have the "unique" overlay installed to prevent multiple groups from having the same "cn" or "gidNumber".
I've got a request from users to be able to re-name their groups now too. I tried changing "by users add" to "by users write" in clause 14, and added the "entry" attribute to "attrs=" in clause 16, but the server is still not letting users re-name their groups. The output of the log file looks like this:
slapd[44745]: => acl_get: [16] attr entry slapd[44745]: => acl_mask: access to entry "cn=test-1234,ou=Groups,dc=whatever", attr "entry" requested slapd[44745]: => acl_mask: to all values by "uid=g-guest,ou=people,dc=whatever", (=0) slapd[44745]: <= check a_dn_pat: users slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop) slapd[44745]: <= acl_mask: [1] mask: add(=arscxd) slapd[44745]: => slap_access_allowed: write access denied by add(=arscxd) slapd[44745]: => access_allowed: no more rules
What am I missing?
Read the Operation Requirements section of slapd.access(5).
Am Fri, 7 Mar 2014 11:11:23 -0800 schrieb Tim Gustafson tjg@ucsc.edu:
Hi,
I've had OpenLDAP set up for a while now such that users can create groups and manage the groups that they've created. I've achieved this by creating a new objectClass (called "managedGroup") which adds the "manager" attribute, and then I've set up ACLs like this:
olcAccess: {14}to dn.base="ou=Groups,dc=whatever" attrs=children by users add by * break olcAccess: {15}to dn.subtree="ou=Groups,dc=whatever" filter="(&(objectClass=posixGroup)(objectClass=managedGroup)(gidNumber>=1000))" attrs=entry by users add by * break olcAccess: {16}to dn.subtree="ou=Groups,dc=whatever" attrs=cn,manager,memberUid,description by set.exact="this/manager & user" write by * break
I also have the "unique" overlay installed to prevent multiple groups from having the same "cn" or "gidNumber".
I've got a request from users to be able to re-name their groups now too. I tried changing "by users add" to "by users write" in clause 14, and added the "entry" attribute to "attrs=" in clause 16, but the server is still not letting users re-name their groups. The output of the log file looks like this:
slapd[44745]: => acl_get: [16] attr entry slapd[44745]: => acl_mask: access to entry "cn=test-1234,ou=Groups,dc=whatever", attr "entry" requested slapd[44745]: => acl_mask: to all values by "uid=g-guest,ou=people,dc=whatever", (=0) slapd[44745]: <= check a_dn_pat: users slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop) slapd[44745]: <= acl_mask: [1] mask: add(=arscxd) slapd[44745]: => slap_access_allowed: write access denied by add(=arscxd) slapd[44745]: => access_allowed: no more rules
What am I missing?
access to dn.base=ou=groups,dc=whatever attrs=entry,children by .... read
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
Tim Gustafson