[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forgerock-opendj
Subject:    [Opendj] Admin privileges to a group of users.
From:       ludovic.poitou () forgerock ! com (Ludovic Poitou)
Date:       2011-12-18 17:09:13
Message-ID: 8DCA880E-7D2E-48A3-A731-A5943E51DACB () forgerock ! com
[Download RAW message or body]

Hi Robert,

The base value out of the subTreeSpecification is relative to the parent entry of the \
CollectiveAttributeSubentry. So in your first attempt, Option 2 would have worked \
with a base of "ou=People,ou=Intranet" or even just "ou=intranet" instead of \
"ou=groups".

Glad you have it working now.

Kind regards,

Ludovic

On Dec 18, 2011, at 14:46 , Robert Iadgarov wrote:

> 
> I found the problem.
> The collective attribute should be used.  The trick is in the attribute location  \
> within the sub-tree and the  subtreeSpecification. 
> In my case the following worked:
> 
> dn: cn=Administrator Privileges,o=intranet,dc=example,dc=com
> changetype: add
> objectClass: collectiveAttributeSubentry
> objectClass: extensibleObject
> objectClass: subentry
> objectClass: top
> cn: Administrator Privileges
> ds-privilege-name;collective: config-read
> ds-privilege-name;collective: password-reset
> subtreeSpecification: {base "ou=people", specificationFilter
> "(isMemberOf=cn=admins,ou=Groups,dc=checkpoint,dc=com)" }
> 
> 
> This is a group of users:
> 
> dn: cn=admins,ou=Groups,dc=example,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=user1,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user2,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user3,ou=People,o=intranet,dc=checkpoint,dc=com
> cn: admins
> 
> 
> 
> From: opendj-bounces at forgerock.org [mailto:opendj-bounces at forgerock.org] On \
>                 Behalf Of Robert Iadgarov
> Sent: Sunday, December 18, 2011 1:21 PM
> To: OpenDJ discussion list (opendj at forgerock.org)
> Subject: [Opendj] Admin privileges to a group of users.
> 
> 
> Hello,
> 
> I have difficulties to define Administrator privileges for a group. It worked fine \
> for  individual users.   But for the group of users it just wouldn?t work neither \
> with defining the ?ds-privilege-name:? attribute to the group nor by using a \
> collective attribute. What am I doing wrong?   Should I use virtual attributes.  
> 
> 
> This is a group of users:
> 
> dn: cn=admins,ou=Groups,dc=example,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=user1,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user2,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user3,ou=People,o=intranet,dc=checkpoint,dc=com
> cn: admins
> 
> 
> 
> Option 1 (just assigning the ds-privilege-name attribute to the group):      ------ \
> didn?t work 
> ldapmodify -h localhost -p 1389 -w password -D cn=directory\ manager
> dn: cn=admins,ou=Groups,dc=example,dc=com
> changetype: modify
> add: ds-privilege-name
> ds-privilege-name: config-read
> ds-privilege-name: password-reset
> 
> 
> Option 2 (by using collective attribute):    --------------------------------- \
> didn?t work 
> dn: cn=Administrator Privileges,dc=example,dc=com
> changetype: add
> objectClass: collectiveAttributeSubentry
> objectClass: extensibleObject
> objectClass: subentry
> objectClass: top
> cn: Administrator Privileges
> ds-privilege-name;collective: config-read
> ds-privilege-name;collective: password-reset
> subtreeSpecification: {base "ou=groups", specificationFilter
> "(isMemberOf=cn=admins,ou=Groups,dc=checkpoint,dc=com)" }
> 
> 
> 
> --
> Robert Iadgarov
> Team Leader, System Infrastructures, MIS Department
> 
> Check Point Software Technologies LTD.
> 5 Ha?solelim St. Tel-Aviv 67897,
> PO Box 9422, ISRAEL
> Tel: +972-3-6115453
> Fax: +972-3-5759256
> Email: roberti at checkpoint.com
> http://www.checkpoint.com <http://www.checkpoint.com/>
> ================================================================
> This message may contain confidential and/or proprietary information, and is
> intended only for the person/entity to who
> 
> 
> Scanned by Check Point Total Security Gateway.
> 
> _______________________________________________
> OpenDJ mailing list
> OpenDJ at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj

- - -
	

 	Ludovic Poitou - ForgeRock France SAS
e: ludovic.poitou at forgerock.com
t: +33 625 14 96 92
w: www.forgerock.com
blog: http://ludopoitou.wordpress.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/opendj/attachments/20111218/c746a731/attachment.html \
                
-------------- next part --------------
A non-text attachment was scrubbed...
Name: forgerocklogo.png
Type: image/png
Size: 7117 bytes
Desc: not available
Url : http://lists.forgerock.org/pipermail/opendj/attachments/20111218/c746a731/attachment.png \



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic