[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with ACL

At 09:15 AM 10/26/99 -0600, Giri Raichur wrote:
>"Kurt D. Zeilenga" wrote:
>> At 10:38 PM 10/25/99 -0600, Giridhar Raichur wrote:
>> >> >1. Disable anonymous access (NULL bind entry)
>> >>
>> >> Set default access to none and add:
>> >>      by dn="" none
>> >
>> >I tried to do just that but that seems to prevent all searches.
>> >Here's what I have in my access list -
>> >
>> >defaultaccess none
>> >
>> >access to dn=".*, o=Los Alamos National Laboratory, c=US"
>> >       by dn="" none
>> >       by dn=".*, o=Los Alamos National Laboratory, c=US" read
>> >       by *    none
>> s/, /,/g above so that the DN regex will able to match the
>> normalized DNs of your entries.
>I did what you suggested but with the same result. It works OK if
>I comment out
>"defaultaccess none" or when I make default access "read".

Sorry, I forgot that dn="" doesn't work in OpenLDAP 1.2.
Instead, you need to use dn="^$$" to match anonymous uses.
(Yes, two $$).  So,

access to dn=".*,o=Los Alamos National Laboratory,c=US"
	by dn="^$$" none
	by dn=".*,o=Los Alamos National Laboratory,c=US" read
	by *    none


Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>