[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in slapd's acl's with SASL (ITS#2067)

The implicit "by * none" doesn't grant access to authentication
and authorization attributes.  See the Administrator's Guide
section on access control and slapd.access(5) with particular
attention to the "auth" permissions.


At 02:20 PM 2002-09-04, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.4
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (
>Currently if we define our ACL's as such:
># ACL include file for slapd
># this is specific to ldap4.stanford.edu for testing
>access to *
>        by dn="cn=manager,dc=stanford,dc=edu" write
>        by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
>        by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
>        by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
>        by * read
>Where membership is defined in the groups using SASL with GSSAPI and regexp's,
>everything works fine.
>However, as soon as we remove 'by * read', we can no longer bind into our groups
>for access.