I am struggling to find documentation on how to use the cn=config syntax
for delegating a subdomain to a group of users.
In my situation, I have an OU setup for customer accounts.
(ou=subdomain,ou=People,dc=example,dc=com). I can currently edit that if
I log in as a user that is our admin OU, ou=admins,dc=example,dc=com.
However, I don't want to give our front facing support that much access.
basically, I want the following:
- any user can update their info.
- anyone in ou=admin can update anything
- anybody in group cn=cust_support,ou=group,dc=example,dc=com can do
anything to anyone in the ou=subdomain,ou=People OU.
(create/edit/update/delete)
However, I am struggling to get the syntax right. I have tried many
permutations, and the most recent example was to use these rules for
setting olcAccess in the o=config database:
{0}to attrs=userPassword by self write by anonymous auth by
dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=subdomain,ou=People,dc=example,dc=com" by self write
by dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by
* read
I have tried making cn=cust_support,ou=group,dc=example,dc=com both a
posixGroup, and a groupOfNames. Both of them, when I go to save a new
users, I get "insufficient access"
If anyone could guide me in the correct direction, it would be greatly
appreciated..
thanks!
Brian
