Re: trouble with access control

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:27 AM 4/17/2006, Dr. Harry Knitter wrote:
>Am Donnerstag, 13. April 2006 17:13 schrieb Lise Didillon:
>> At 08:39 13/04/06 +0200, Dr. Harry Knitter wrote:
>> >Hello,
>> >
>> >I am new with Openldap and with this list, too.
>> >
>> >My problem is as follows:
>> >
>> >I have set up an openldap server with simple bind.
>> >
>> >Everything works fine when using rootdn to acess my data.
>> >There are several addressbooks in different dns.
>> >
>> >My access controls are:
>> >access to *
>> >         by * read
>> >
>> >access to dn.subtree="dc=mydoamin,dc=tld"
>> >         by dn="uid=harry,cn=users,ou=ldapconfig,dc=mydomain,dc=tld" write
>> >         by * none
>> 
>> write instead:
>> 
>> access to dn.subtree="dc=mydoamin,dc=tld"
>>          by dn="uid=harry,cn=users,ou=ldapconfig,dc=mydomain,dc=tld" write
>>          by * none
>> 
>> access to *
>>          by * read
>> 
>> because slapd finds and stops at the first rule that matches the entry,
>> 
>
>
>When I do this I get no access at all.

Ignoring the differences in second level RDNs of your DNs
is merely a typo in your messages (but not in your configuration),
it appears you didn't grant "auth" permission necessary for
anonymous users to access userPassword values (in the subtree)
for the purposes of simple bind authentication.  That is,
"by anonymous auth" might be more appropriate than the
(redundant) "by * none".   See slapd.access(5) and the Admin
Guide for details.

- Kurt