[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with ACL



At 11:22 AM 10/26/99 -0600, Giri Raichur wrote:
>> access to dn=".*,o=Los Alamos National Laboratory,c=US"
>>         by dn="^$$" none
>>         by dn=".*,o=Los Alamos National Laboratory,c=US" read
>>         by *    none
>Thank you. However, I am still confused about the default access line in
>the access list.
>should that be included in the access list or is "by * none" in the
>access clause sufficient.

by * none does match everything and hence you could drop the first
who clause.  However, I doubt this is your problem.  It appears as
the implicit, last ACL:

	access to * by * default

rules is being applied (where default is whatever you set default
access to).

I suspect, a DN mismatch (your entries/targets are not under
"o=Los Alamos National Laboratory,c=US") or that you are not accessing
the directory in a manner consist with the ACLs.

Is this your only ACL?  If not, provide the complete list.

>When I type "defaultaccess none" above the access clause, all searches
>fail.

Duplicate the problem using ldapsearch.  Post a copy of the exact
command line issued and the results.

You might also peak at the log files to see if offers any hints.
You might enable ARGS, TRACE, and ACL debugging as well.  This will
generate a huge amount of output.

>I would like to set defaultaccess to none and only allow otherwise.

I strongly recommend "defaultaccess none".  Besides being a
sane default, it offers forward compatibility with future versions
of OpenLDAP.

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>