[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: [Opendj] Admin privileges to a group of users.
From: ludovic.poitou () forgerock ! com (Ludovic Poitou)
Date: 2011-12-18 17:09:13
Message-ID: 8DCA880E-7D2E-48A3-A731-A5943E51DACB () forgerock ! com
[Download RAW message or body]
Hi Robert,
The base value out of the subTreeSpecification is relative to the parent entry of the \
CollectiveAttributeSubentry. So in your first attempt, Option 2 would have worked \
with a base of "ou=People,ou=Intranet" or even just "ou=intranet" instead of \
"ou=groups".
Glad you have it working now.
Kind regards,
Ludovic
On Dec 18, 2011, at 14:46 , Robert Iadgarov wrote:
>
> I found the problem.
> The collective attribute should be used. The trick is in the attribute location \
> within the sub-tree and the subtreeSpecification.
> In my case the following worked:
>
> dn: cn=Administrator Privileges,o=intranet,dc=example,dc=com
> changetype: add
> objectClass: collectiveAttributeSubentry
> objectClass: extensibleObject
> objectClass: subentry
> objectClass: top
> cn: Administrator Privileges
> ds-privilege-name;collective: config-read
> ds-privilege-name;collective: password-reset
> subtreeSpecification: {base "ou=people", specificationFilter
> "(isMemberOf=cn=admins,ou=Groups,dc=checkpoint,dc=com)" }
>
>
> This is a group of users:
>
> dn: cn=admins,ou=Groups,dc=example,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=user1,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user2,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user3,ou=People,o=intranet,dc=checkpoint,dc=com
> cn: admins
>
>
>
> From: opendj-bounces at forgerock.org [mailto:opendj-bounces at forgerock.org] On \
> Behalf Of Robert Iadgarov
> Sent: Sunday, December 18, 2011 1:21 PM
> To: OpenDJ discussion list (opendj at forgerock.org)
> Subject: [Opendj] Admin privileges to a group of users.
>
>
> Hello,
>
> I have difficulties to define Administrator privileges for a group. It worked fine \
> for individual users. But for the group of users it just wouldn?t work neither \
> with defining the ?ds-privilege-name:? attribute to the group nor by using a \
> collective attribute. What am I doing wrong? Should I use virtual attributes.
>
>
> This is a group of users:
>
> dn: cn=admins,ou=Groups,dc=example,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=user1,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user2,ou=People,o=intranet,dc=checkpoint,dc=com
> uniqueMember: uid=user3,ou=People,o=intranet,dc=checkpoint,dc=com
> cn: admins
>
>
>
> Option 1 (just assigning the ds-privilege-name attribute to the group): ------ \
> didn?t work
> ldapmodify -h localhost -p 1389 -w password -D cn=directory\ manager
> dn: cn=admins,ou=Groups,dc=example,dc=com
> changetype: modify
> add: ds-privilege-name
> ds-privilege-name: config-read
> ds-privilege-name: password-reset
>
>
> Option 2 (by using collective attribute): --------------------------------- \
> didn?t work
> dn: cn=Administrator Privileges,dc=example,dc=com
> changetype: add
> objectClass: collectiveAttributeSubentry
> objectClass: extensibleObject
> objectClass: subentry
> objectClass: top
> cn: Administrator Privileges
> ds-privilege-name;collective: config-read
> ds-privilege-name;collective: password-reset
> subtreeSpecification: {base "ou=groups", specificationFilter
> "(isMemberOf=cn=admins,ou=Groups,dc=checkpoint,dc=com)" }
>
>
>
> --
> Robert Iadgarov
> Team Leader, System Infrastructures, MIS Department
>
> Check Point Software Technologies LTD.
> 5 Ha?solelim St. Tel-Aviv 67897,
> PO Box 9422, ISRAEL
> Tel: +972-3-6115453
> Fax: +972-3-5759256
> Email: roberti at checkpoint.com
> http://www.checkpoint.com <http://www.checkpoint.com/>
> ================================================================
> This message may contain confidential and/or proprietary information, and is
> intended only for the person/entity to who
>
>
> Scanned by Check Point Total Security Gateway.
>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
- - -
Ludovic Poitou - ForgeRock France SAS
e: ludovic.poitou at forgerock.com
t: +33 625 14 96 92
w: www.forgerock.com
blog: http://ludopoitou.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/opendj/attachments/20111218/c746a731/attachment.html \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: forgerocklogo.png
Type: image/png
Size: 7117 bytes
Desc: not available
Url : http://lists.forgerock.org/pipermail/opendj/attachments/20111218/c746a731/attachment.png \
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic