[Date Prev][Date Next] [Chronological] [Thread] [Top]

aci for anonymous (ITS#1508)



Full_Name: Norbert Pabis
Version: 2.0.19
OS: Linux
URL: ftp://ftp.openldap.org/incoming/norbert-pabis-011228.patch
Submission from: (NULL) (157.25.5.68)


Problem:
When using ldap compiled with --enable-aci, aci's do not work for anonymous.

What I did:
As wrote in http://www.OpenLDAP.org/lists/openldap-devel/200112/msg00150.html
by Kurt D. Zeilenga we do not have to deal with ietf drafts so I did not
introduced
another dntype "public" as it was proposed in 
http://www.openldap.org/lists/openldap-devel/200009/msg00005.html.
Instead I considered empty dn as anonymous which is ok according to
http://www.openldap.org/faq/index.cgi?_highlightWords=anonymous&file=318

The simple patch I submitted removes stopper that made aci not processed while
anonoymous bind.
Right now aci: ...#access-id# corresponds to anonymous
and aci: ...#access-id#* corresponds to all users and anonymous too.

The only thing needed is to include a rule in slapd.conf
access to attr=userPassword by anonymous compare 
that enables user authorization.
This is the only thing that bothers me whether this all is ok. But I hope that
someone more competent will take a look at the patch.

I did 'make test' and all gone ok, even acl test, so hopefully patch does not
spoil anything but improves aci.