[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with access control

To: Ottavio Campana <ottavio@campana.vi.it>, openldap-software@OpenLDAP.org
Subject: Re: problem with access control
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 08 Mar 2004 09:35:53 -0800
Content-disposition: inline
In-reply-to: <404CA729.7090207@campana.vi.it>
References: <404CA729.7090207@campana.vi.it>

--On Monday, March 08, 2004 6:02 PM +0100 Ottavio Campana <ottavio@campana.vi.it> wrote:

I'm trying to set up an address book with ldap. I want that one user (in
this case uid=bott,ou=Users,dc=campana,dc=vi,dc=it) can access the
address book with password and read and write it, while any other person
cannot give a look at the records.

I've tried this rule in slapd.conf:


access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it"
         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" read
         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write
         by * none

but it doesn't work, for if a run ldapsearch anonymously I can get all
the infos of the address book.


I will note that WRITE implies READ, so you can have just:

access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it"
         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write
         by * none

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- problem with access control
  - From: Ottavio Campana <ottavio@campana.vi.it>

Prev by Date: Re: sn/surname mess. Need your opinion
Next by Date: Re: LDAPI documentation (was Re: Graphical LDAP clients with SASL support)
Index(es):
- Chronological
- Thread