Re: ACL problem in slapd.conf

[Jonathan Clarke <jonathan@phillipoux.net>]

On 04/09/2009 14:16, Tomasz Chmielewski wrote:
> Jonathan Clarke wrote:
>
> > 2) You can enable loglevel acl in your configuration file and check
> > the logs to see which rules are being used.
> >
> > I hope this helps. If you have further questions, don't hesitate to
> > post back here with your full set of ACLs, and information on the
> > version of slapd you're using.
>
> I think I have it working with changing this set of ACLs:
>
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by self write
> by dn="uid=replica,ou=Users,dc=example,dc=com" write
> by anonymous auth
> by * none
>
> access to *
> by dn="uid=replica,ou=Users,dc=example,dc=com" write
> by * read
>
>
>
> to this:
>
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by self write
> by dn="uid=replica,ou=Users,dc=example,dc=com" write
> by anonymous auth
> by * none
>
> access to dn.subtree="ou=Users,dc=example,dc=com"
> by dn="uid=Operator,ou=Users,dc=example,dc=com" write
> by * read
> by self write
> by dn="uid=replica,ou=Users,dc=example,dc=com" write
> by anonymous auth
> by * none

Be careful - none of the "by" clauses after the 2nd ("by * read") will 
be read. The first matching clause wins, and "*" matches everyone.

> access to dn.subtree="ou=Groups,dc=example,dc=com"
> by dn="uid=Operator,ou=Users,dc=example,dc=com" write
> by * read
> by self write
> by dn="uid=replica,ou=Users,dc=example,dc=com" write
> by anonymous auth
> by * none
>
> access to *
> by dn="uid=replica,ou=Users,dc=example,dc=com" write
> by * read
>
>
> And I think I should comment out "by anonymous auth" from the two
> entries I added...

auth is only meaningful on the userPassword attribute, which you already 
granted in your first ACL (well, except some implicit searches during 
bind, but this is a rare case).

Jonathan