[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    Possible bug in DS 3.1
From:       "Olsen Rose" <olsen_rose () bah ! com>
Date:       1998-05-28 12:20:21
[Download RAW message or body]

Hello!

I am in the process of testing DS 3.1 in hopes of soon upgrading from
 version 1.03. Here is the problem I've run into. We are using
distributed
Admin and I have a group which
 I've created called CSE Admin. Our directory structure is very flat, it
looks as follows:

                 o=BAH  
 |                       |                       |
ou=SMTP ou=MSMail ou=Netscape Servers

 I have given the group CSE Admin rights to the SMTP and MSMail OUs. The
 ACLs I've defined are as follows:

 aci: (target ="ldap:///ou=SMTP,o=BAH,c=US")(targetattr = "*")(version
 3.0; acl
  "Untitled"; allow (compare,search,read,write, add , delete )   groupdn
= "l
  dap:///cn=CSE Admin,ou=SMTP,o=BAH,c=US" ;)

aci: (target ="ldap:///ou=MSMail,o=BAH,c=US")(targetattr = "*")(version
 3.0; a
 cl "Untitled"; allow (compare,search,read,write, add , delete )
 groupdn =
  "ldap:///cn=CSE Admin,ou=SMTP,o=BAH,c=US" ;)

 The problem is we have defined groups in the directory that folks in
the
 CSE Admin group need to update. While I was testing this morning, I
found that if a user that is a member of the CSE Admin attempts to
 update a mail group that they are a member of, I receive an LDAP error
 permission denied. For example, if the user Donald Duck is in the group
 CSE Admin and also in the group Crystal Park Users, if Donald Duck
 attemtps to add users to the Crystal Park Users group, he gets a
permission denied LDAP error. However, if Donald Duck attempts to update
 a group that he is not a member of, it works just fine. The
 objectclasses for the groups are: objectclass: groupOfUniqueNames
 objectclass: mailGroup. Any thoughts would be appreciated.

This operation CAN be performed used the ldapmodify command, however, it
can
NOT be completed using the Admin interface or the Gateway component.

Thank you.
 Rose Olsen

[prev in list] [next in list] [prev in thread] [next in thread]