[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in slapd's acl's with SASL (ITS#2067)

To: openldap-its@OpenLDAP.org
Subject: Re: Bug in slapd's acl's with SASL (ITS#2067)
From: Kurt@OpenLDAP.org
Date: Wed, 4 Sep 2002 21:50:15 GMT

The implicit "by * none" doesn't grant access to authentication
and authorization attributes.  See the Administrator's Guide
section on access control and slapd.access(5) with particular
attention to the "auth" permissions.

Kurt

At 02:20 PM 2002-09-04, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.4
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.64.13.58)
>
>
>Hello,
>
>Currently if we define our ACL's as such:
>
># ACL include file for slapd
>#
># this is specific to ldap4.stanford.edu for testing
>
>access to *
>        by dn="cn=manager,dc=stanford,dc=edu" write
>        by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
>        by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
>        by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
>        by * read
>
>
>Where membership is defined in the groups using SASL with GSSAPI and regexp's,
>everything works fine.
>
>However, as soon as we remove 'by * read', we can no longer bind into our groups
>for access.

Prev by Date: ACL order changes * by * read access (ITS#2068)
Next by Date: Re: ACL order changes * by * read access (ITS#2068)
Index(es):
- Chronological
- Thread