Hi folks!
I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio as the client on a different machine.
I am having issues trying to setup ACL using Group. The only non-standard aspect in my schema design is that the groups container is located in a organization specific sub-tree of DIT and not under DIT root, e.g.
* access to dn.subtree="ou=resources,ou=dept1,ou=ns1,dc=example,dc=com" attrs = "entry,@myResourceClass" group.exact="cn=myadmin,ou=groups,ou=dept1,ou=ns1,dc=example,dc=com" write continue by * break*
*access to * by * read*
I am logging in with a user who is a member to this group but not getting the desired write access to the entry.
Is the location of the group entries in DIT really matter for ACL to work?
Thanks
-Rakesh
--On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal rakesh.aggarwal@gmail.com wrote:
Hi folks!
I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio as the client on a different machine.
I am having issues trying to setup ACL using Group. The only non-standard aspect in my schema design is that the groups container is located in a organization specific sub-tree of DIT and not under DIT root, e.g.
access to dn.subtree="ou=resources,ou=dept1,ou=ns1,dc=example,dc=com" attrs = "entry,@myResourceClass" group.exact="cn=myadmin,ou=groups,ou=dept1,ou=ns1,dc=example,dc=com" write continue by * break
access to * by * read
What you pasted is not a valid ACL statement. I expect it to fail. You may want to try adding the word "by" in front of "group.exact".
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Rakesh Aggarwal