Re: cn=Log,cn=Monitor

[Michael Ströder <michael@stroeder.com>]

Pierangelo Masarati wrote:
> > > backend; however it'd be of little use; my usual strategy
> > > is to add ACLs that allow regular users belonging to other
> > > databases to operate on monitor entries.
> >
> > Makes sense to me. I'll try with ACLs. Can you please post an example?
>
> database bdb # any other database ...
> suffix "dc=example,dc=com"
> # ...
>
> database monitor
> access to *
>     by dn.exact="uid=Administrator,ou=People,dc=example,dc=com" write
>     by dn="uid=[^,]+,ou=People,dc=example,dc=com" read
>     by * none

BTW: I'm using REL_ENG_2_1 CVS-updated yesterday with the following config:

----------------------- snip -----------------------
database        monitor

access to *
    by dn.exact="cn=root,dc=stroeder,dc=com" write
    by * read
----------------------- snip -----------------------

This does not work for me. I still get unWillingToPerform without info 
message when bound as cn=root,dc=stroeder,dc=com. Why? When bound as 
anonymous I get strongAuthRequired and when bound as other user I get 
insufficientAccessRights which both makes sense to me. But 
unWillingToPerform sounds like this backend is not writeable at all.

Ciao, Michael.