acl's being ignored?

[felix k sheng <felix@deasil.com>]

Hello all,

I've just starting trying to use OpenLDAP, but I've been having some
issues with ACL's.  In particular, openldap seems to be ignoring 
what I'm trying to tell it - I've pored over the list archives and
the SLAPD Admin Guide to no avail..  I'm sure I'm doing something
very obviously silly, but I can't seem to pin point it.  I've 
compiled this fresh for an essentially redhat 5.x linux box.

Boiled down, my slapd.conf contains these lines:

defaultaccess none

access to dn=".*"
   by * none

At various times it contained only the defaultaccess none line and
at other times it had some other more specific lines in it.  But
no matter what I do, if I try and connect anonymously I can always
see everything.

At first I had attempted to cut access to certain attrs like so:

access to attr=mail
   by self write
   by * none

and various iterations like that, but no matter what, I could always
get everything anonymously.  



Giving slapd a -d128 option, I get these lines, which seem relevant:

ACL: access to dn=.*
        by dn=.*

slapd starting

[snip]

=> acl_get: entry (cn=Someone New5, ou=Group, o=Foo, c=US) attr (objectclass)
<= acl_get: no match

=> acl_access_allowed: search access to entry "cn=Someone New5, ou=Group, o=Foo, c=US"

=> acl_access_allowed: search access to value "PERSON" by ""
<= acl_access_allowed: granted by default (no matching to)

=> access_allowed: exit (cn=Someone New5, ou=Group, o=Foo, c=US) attr (objectclass)


What am I doing wrong?  Can I provide any other information?

Thanks for any help!

felix

-- 
felix sheng                                           ... felix@deasil.com

PGP: <http://wwwkeys.us.pgp.net:11371/pks/lookup?op=get&search=0x2CA84A01>