Re: ACL's & slapd

[Peter Marschall <peter.marschall@mayn.de>]

Hi,

On Monday 07 October 2002 19:12, you wrote:
> After reading slapd.access several times, I'm completely lost on how I
> could do something that seems quite simple, but in practice is not working
> at all, especially when SASL is added in:
>
> If I have:
>
> access to dn=""
> 	by * read
>
> access to attrs=suKrb5Name
> 	by * search
>
> access to *
> 	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read
>
> I can't see suKrb5Name in the output when I do an ldapsearch.  Note that
> I'm doing SASL authentication, so it needs search on suKrb5Name to do the
> saslregexp to authenticate me.  If I do
>
> access to attrs=suKrb5Name
> 	by * search break
>
> It then overwrites the access with the by dn="suRegID=...." read, and then
> can no longer authenticate me.  Shouldn't there be some way to make access
> to * truly be access to everything, regardless of the preceeding acl's?

I have not tested it in this special case, but have you tried grouping more 
than one "by clause" into the access statements ?

IIRC, the following lines should do the trick

access to dn=""
	by * read

access to attrs=suKrb5Name
	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read
	by * search

access to *
	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read

CU
Peter
-- 
Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35