[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Apologies - ACL question

To: Michael Thomas <mike@bedarra.com>
Subject: Re: Apologies - ACL question
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 17 Jun 2000 07:41:33 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3948FC59.CBFE7F0@bedarra.com>

At 11:55 AM 6/15/00 -0400, Michael Thomas wrote:
> => access_allowed: exit (mail=mike@foo.com, ou=Employees, dc=foo,
>dc=com) attr (entry)
>acl: access to entry not allowed

You did not grant access to the entry psuedo attribute.
You likely should make the following changes:

>
>
>defaultaccess  none
>
>access to attr=userPassword
> by self write
> by dn="cn=Administrator,dc=foo,dc=com" write
> by dn="^$$" compare
> by * none

not sure why you grant anonymous uses the right to
compare userPassword values.  Seems quite inappropriate
(and not needed for authentication).

>access to attr=mail
> by dn=".*,ou=Employees,dc=foo,dc=com" write
> by dn="^$$" search
> by * none

You grant anonymous ability to search by mail and
uid, but not permission to read mail and uid.
Read is need if you desire to have these values
returned.

>access to attr=uid
> by self write
> by dn="cn=Administrator,dc=foo,dc=com" write
> by dn=".*,ou=Employees,dc=foo,dc=com" read
> by dn="^$$" search
> by * none

access to attr=entry
  by self write
  by dn="cn=Administrator,dc=foo,dc=com" write
  by dn=".*,ou=Employees,dc=foo,dc=com" write
  by dn="^$$" read
  by * none

>access to *
> by dn=".*,ou=Employees,dc=foo,dc=com" write
> by * none

This give users under ou=employees the right to
write anything (excepting those items above
where less rights were granted).

Follow-Ups:
- Re: Apologies - ACL question
  - From: Mike Thomas <mike@bedarra.com>

References:
- Apologies - ACL question
  - From: Michael Thomas <mike@bedarra.com>

Prev by Date: Re: ldap as a "non-search"-addressbook in outlook
Next by Date: Re: Bulkloading problems....
Index(es):
- Chronological
- Thread