[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question

To: "Quanah Gibson-Mount" <quanah@zimbra.com>, "Tim Gustafson" <tjg@soe.ucsc.edu>, openldap-software@openldap.org
Subject: Re: ACL Question
From: "Tim Gustafson" <tjg@soe.ucsc.edu>
Date: Sat, 31 Jan 2009 01:25:55 +0000
Importance: Normal
In-reply-to: <2C8F6A8CE2687B8E020C00BB@[192.168.1.199]>
References: <171584720.319221233362557897.JavaMail.root@mail-01.cse.ucsc.edu><2C8F6A8CE2687B8E020C00BB@[192.168.1.199]>
Sensitivity: Normal

This is the first ACL in the file. 


Tim Gustafson
SOE Webmaster
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354

-----Original Message-----
From: Quanah Gibson-Mount <quanah@zimbra.com>

Date: Fri, 30 Jan 2009 17:24:47 
To: Tim Gustafson<tjg@soe.ucsc.edu>; <openldap-software@openldap.org>
Subject: Re: ACL Question


--On Friday, January 30, 2009 4:42 PM -0800 Tim Gustafson
<tjg@soe.ucsc.edu> wrote:

> Hi,
>
> I have the following in my slapd.conf:
>
> access to dn.subtree="cn=log"
>  by
> group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu"
> read
>
> However, anyone (even unbound anonymous users) can access cn=log without
> any problems.  I don't want anyone but ldap-admins to be able to access
> this subtree.
>
> I'm thinking that I must be missing something really simple here.  Am I
> doing something wrong?  Any help is greatly appreciated.

What are your other acls?  ACLs are applied as they are reached, so if a
previous ACL allows access to cn=log, this one will never get evaluated.

--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- ACL Question
  - From: Tim Gustafson <tjg@soe.ucsc.edu>
- Re: ACL Question
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: slapd 2.4.13: ppolicy_use_lockout not working as expected
Next by Date: Re: ACL Question
Index(es):
- Chronological
- Thread