[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access Rights in SLAPD.CONF
"Craig R. McClanahan" wrote:
> defaultaccess read
> access to attr="userpassword"
> by self write
> by * compare
> access to dn=".*,o=My Company Name,c=US"
> by dn="cn=adminuser,o=My Company Name,c=US"
Ummm. I think you have to write the first one like this:
> access to attr="userpassword"
> by self write
> by dn="cn=adminuser,o=My Company Name,c=US" write
> by * compare
IIRC, the first match is used, so when setting or modifying a
userPassword the second entry is not even inspected. Unless
that's precisely the effect you want to achieve.
> => access_allowed: entry (o=My Company Name, c=US) attr (children)
> => acl_get: entry (o=My Company Name,c=US) attr (children)
> => acl_get: edn O=MY COMPANY NAME,C=US
> => acl_get: [1] check attr children
> => dnpat: [2] *.,O=MY COMPANY NAME,C=US nsub: 0
> <= acl_get: no match
> => acl_access_allowed: write access to entry "o=My Company Name,
> c=US"
> => acl_access_allowed: write access to value "any" by ""
> <= acl_access_allowed: denied by default (no matching to)
> => access_allowed: exit (o=My Company Name, c=US) attr=(children)
> no access to parent
No access to parent, it is not letting you add an entry at o=my...,c=us,
since it does not match, your rule says:
> access to dn=".*,o=My Company Name,c=US"
> by dn="cn=adminuser,o=My Company Name,c=US"
Either modify the pattern to:
access to dn=".*o=My Company Name,c=US"
Or add a rule for
access to dn="o=My Company Name,c=US"
Julio