[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd: access control

To: openldap-software@OpenLDAP.org
Subject: slapd: access control
From: "Trapp, Michael" <michael.trapp@sap.com>
Date: Fri, 21 Jul 2000 14:51:35 +0200

hi,

i've some problems with the access section in the slapd.conf file.

...
access to dn='uid=.*, ou=people, o=test' attrs=password
	by dn='cn=rwpwd, ou=people, o=test" write
access to dn='uid=.*, ou=people, o=test' attrs=password
	by dn='cn=ropwd, ou=people, o=test" read
...

in my understanding of the man pages and the slapd admin guide, this should
grant
write access for dn='cn=rwpwd, ou=people, o=test'  on the attribute passwd
of all entries
matching the dn 'uid=.*, ou=people, o=test'.
the same assumption for 'ropwd' except the restrict to read permission.

launching slapd with loglevel 192 (config, acl), i can see that the config
is parsed properly.
but a search with

	 ldapsearch -D 'cn=rwpwd, ou=people, o=test'  uid=* password

loggs 
	 '<= acl_access_allowed: denied by default (no matching by).

and doesn't return the expected password list.
entries and passwords have been setup right, no ' invalid credential' ...
the defaultaccess is search because i expect SLAPD to deal with no read
permissions by default.
so in every case it should be possible to grant the necessary access without
thinking about restrictions for the rest of the database. i mean it's the
usual way to set global restrictions and grant individual permissions.

it would be great to get some useful hints


best regards
michael

Follow-Ups:
- Re: slapd: access control
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: error codes
Next by Date: Authentication status
Index(es):
- Chronological
- Thread