As far as I know, it *HAS* to be done this way because the posixGroup schema is way out of date (it wont take a dn as a member). This info according to the gurus on the OpenLDAP list. In effect we have to keep a duplicate set of group records for those that will have access to the database. For example, if you want to give group based access to a group like "Domain Controllers", you would have to keep a duplicate record using a different objectClass.
Oh, yes and if you know a better way, I am always looking for better ways to get things done. :-)
How I did it was like this:
1. I set up a new OU called "Access Groups".
2. I created a new groupOfNames object in that OU called "Domain Controllers" For the "member" attribute, use the dn of the host record for your primary DC.
3. Using gq, I added simpleSecurityObject to the host record so that it would have a password. Note: Probably can't use the machine account instead due to some rather complex password issues.
4. I set the password by pasting the results of the following command into the userPassword attribute:
[EMAIL PROTECTED] openldap]$ read -sp "Enter password to be used:" pw;echo;slappasswd -s $pw;unset pw
Enter password to be used:
{SSHA}4FMerwu0qcafPYXwxlpTxuRcdtTTvZN6
[EMAIL PROTECTED] openldap]$
5. I verified that I had a proper set of ACLs by using "slapd -t" to test them. That way you don't have to restart to find out if they are bad. You also need a line like the following to each Access clause:
by group="cn=Domain Controllers,ou=Access Groups,$2" write
6. Group access can now be had by placing the dn of the controller's host record (which must have a simpleSecurityObject) in the member attribute of the new groupOfNames group called "Domain Controllers".
To add more controllers, just create a new host record, add simpleSecurityObject to it, and add the dn of that host record as a member of the groupOfNames group called "Domain Controllers".
More details at:
http://mandrake.vmlinuz.ca/bin/view/Main/SambaThreeDomainController#OpenLDAP_Structural_Adjustments
Jim C. -- ----------------------------------------------------------------- | I can be reached on the following Instant Messenger services: | |---------------------------------------------------------------| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---------------------------------------------------------------| | Y!: j_c_llings Jabber: [EMAIL PROTECTED] | -----------------------------------------------------------------
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba