I am struggling to find documentation on how to use the cn=config syntax
for delegating a subdomain to a group of users.
In my situation, I have an OU setup for customer accounts.
(ou=subdomain,ou=People,dc=example,dc=com). I can currently edit that if
I log in as a user that is our admin OU, ou=admins,dc=example,dc=com.
However, I don't want to give our front facing support that much access.
basically, I want the following:
- any user can update their info.
- anyone in ou=admin can update anything
- anybody in group cn=cust_support,ou=group,dc=example,dc=com can do
anything to anyone in the ou=subdomain,ou=People OU.
(create/edit/update/delete)
However, I am struggling to get the syntax right. I have tried many
permutations, and the most recent example was to use these rules for
setting olcAccess in the o=config database:
{0}to attrs=userPassword by self write by anonymous auth by
dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write
by dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by
* read
I have tried making cn=cust_support,ou=group,dc=example,dc=com both a
posixGroup, and a groupOfNames. Both of them, when I go to save a new
users, I get "insufficient access"
If anyone could guide me in the correct direction, it would be greatly
appreciated..
thanks!
Brian
{0}to attrs=userPassword by self write by anonymous auth by
dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write by
dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by
* read
I have tried making cn=cust_support,ou=group,dc=example,dc=com both a
posixGroup, and a groupOfNames. Both of them, when I go to save a new
users, I get "insufficient access"
If anyone could guide me in the correct direction, it would be greatly
appreciated..
Hi Brian,
Your best bet is to set up something in your dev environment, if you
haven't already, then for ease switch to a simple slapd.conf testing
your ACLs with slapacl and/or ldapsearch. Once, happy convert the
slapd.conf to a slapd.d setup and reference the right LDIF output to
import/update on your test environment. Then once double happy make
live.
Best way to learn, sorry :-)
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api