Re: Need some help on a specific ACL

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:18 PM 12/4/2006, Rob Tanner wrote:
>I have most of this bloody long ACL working right,

You seem to have forgotted that evaluation stops (by default) at
the first matching accessing statement.

>but I still need an
>anonymous access to any entry under the "ou=people,o=linfield.edu" base
>DN for the purpose of authentication.  I need to be able to search on
>the UID in order to retrieve the full DN of the entry.  None of my
>trials have been successful.  Can someone please help?

Order matters.  I suggest you read the Admin Guide and FAQ discussion
of access controls to get a basic understanding of how access controls
should be ordered.
  http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control
  http://www.openldap.org/faq/index.cgi?file=1375
  http://www.openldap.org/faq/index.cgi?file=189


>Thanks,
>Rob
>
>access to dn.one="ou=people,o=linfield.edu"
>  attrs=userpassword
>    by anonymous auth
>
>access to dn.one="ou=people,o=linfield.edu"
>    by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read
>    by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa
>administrators,ou=People,o=linfield.edu" read
>
>access to dn.one="ou=people,o=linfield.edu"
>  filter=(!(ou=student))
>    by * read
>
>access to dn.one="ou=people,o=linfield.edu"
>  filter=(&(!(ferpaStatus=Private))(!(entryStatus=Inactive))(ou=student))
>    by * read
>
>access to dn.one="ou=people,o=linfield.edu"
>  filter=(&(!(ou=Student))(!(entryStatus=Inactive)))
>    by * read
>
>access to dn.one="ou=people,o=linfield.edu"
> 
>attrs=userPassword,maillocaladdress,useDefaultAlias,spamdisposition,checkForDirtyWords
>    by self write
>
>
>-- 
>
>Rob Tanner
>UNIX Services Manager
>Linfield College, McMinnville OR
>
>