[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Fwd: Re: Simple ACL problem
| access to attr=userPassword
| by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
| by self write
| by * auth
This rule is fine.
|
| access to dn.subtree="ou=Accounts,o=Shaw Cablesystems,c=CA"
| by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
| by * read
|
| access to *
| by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
| by self read
| by * none
|
The first of these two rules is not really necessary, but it shouldn't matter.
Is 'cn=admin,o=Shaw Cablesystems,c=CA' the rootdn as specified in the
slapd.conf file ? If so, comment that out in the slapd.conf file and restart
the server, and see if the admin can do anything.
As far as I can see, the admin can do anything now, while the users can not
see their own entry. From your rules I don't see why:
1. anyone can auth (which is good)
2. only 'self' can write the password attribute (which is what you want)
3. but by the last rule, you are blocking out thr RootDSE (which may or may
not affect the rest of the ACL's, which is what I have been trying to find
out for several weeks now)
4. what you are also blocking out is access to 'ou=Accounts,o=Shaw
Cablesystems,c=CA' itself.
try, instead:
| access to *
| by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
| by users read
| by * none
Hope that helps. I am still confused about the RootDSE and it's hazy
descendants like subSchemaEntry and such.
_ace
|
|
| Thanks in advance,
|
| ============================
| Darren Gamble
| Planner, Regional Services
| Shaw Cablesystems GP
| 630 - 3rd Avenue SW
| Calgary, Alberta, Canada
| T2P 4L4
| (403) 781-4948
--
-------------------------------------------------
-------------------------------------------------------