Re: trouble with access control

["Dr. Harry Knitter" <harry@knitter-edv-beratung.de>]

Am Dienstag, 18. April 2006 02:43 schrieb Kurt D. Zeilenga:
> At 12:27 AM 4/17/2006, Dr. Harry Knitter wrote:
> >Am Donnerstag, 13. April 2006 17:13 schrieb Lise Didillon:
> >> At 08:39 13/04/06 +0200, Dr. Harry Knitter wrote:
> >> >Hello,
> >> >
> >> >I am new with Openldap and with this list, too.
> >> >
> >> >My problem is as follows:
> >> >
> >> >I have set up an openldap server with simple bind.
> >> >
> >> >Everything works fine when using rootdn to acess my data.
> >> >There are several addressbooks in different dns.
> >> >
> >> >My access controls are:
> >> >access to *
> >> >         by * read
> >> >
> >> >access to dn.subtree="dc=mydoamin,dc=tld"
> >> >         by dn="uid=harry,cn=users,ou=ldapconfig,dc=mydomain,dc=tld" 
write
> >> >         by * none
> >> 
> >> write instead:
> >> 
> >> access to dn.subtree="dc=mydoamin,dc=tld"
> >>          by dn="uid=harry,cn=users,ou=ldapconfig,dc=mydomain,dc=tld" 
write
> >>          by * none
> >> 
> >> access to *
> >>          by * read
> >> 
> >> because slapd finds and stops at the first rule that matches the entry,
> >> 
> >
> >
> >When I do this I get no access at all.
> 
> Ignoring the differences in second level RDNs of your DNs
> is merely a typo in your messages (but not in your configuration),
> it appears you didn't grant "auth" permission necessary for
> anonymous users to access userPassword values (in the subtree)
> for the purposes of simple bind authentication.  That is,
> "by anonymous auth" might be more appropriate than the
> (redundant) "by * none".   See slapd.access(5) and the Admin
> Guide for details.
> 
> - Kurt 
> 
have tried it and it works.

Thanks fo help

Harry