Hi,
I'm trying to set up ACL for my openldap server. I've ou=people that
contains users and ou=group that contains members. I've created a
"cn=administrators,ou=group,dc=company,dc=com" with the following members:
member: uid=admin1, ou=people,dc=company,dc=com
member: uid=admin2, ou=people,dc=company,dc=com
"cn=accountadmin,ou=group,dc=company,dc=com" with the following members:
member: uid=admin3, ou=people,dc=company,dc=com
The ACL in slapd.conf is configured as shown below. Currently any member in
the administrator group can delete any one in that group. Is there anyway to
restrict access such that each member cannot delete other member's entry,
while still allowing the all members in the administrator group to be able
to see "*,ou=group,dc=company,dc=com" entries.
Binded as uid=acadmin, I'm unable to delete any user under
"uid=*,ou=people,dc=company,dc=com". It says insufficient access. What
changes/additions should I make to allow user deletion user uid=acadmin.
Thanks for your help.
ps: it is valid to have 2 "by group=" in the same access directive shown
below?
defaultaccess none
access to attr=userpassword
by self write
by group="cn=administrators,ou=group,dc=company,dc=com" write
by * none
access to dn=".*,ou=people,dc=company,dc=com"
by self write
by group="cn=administrators,ou=group,dc=company,dc=com" write
by group="cn=accountadmin,ou=group,dc=company,dc=com" write <-- valid to
have 2 "by group"?
by dn=".*,ou=people,dc=com,dc=com" read
by * none
access to dn=".*,dc=company,dc=com"
by group="cn=administrators,ou=group,dc=company,dc=com," write
by * none
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
