[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl's being ignored?

Hello all,

I've just starting trying to use OpenLDAP, but I've been having some
issues with ACL's.  In particular, openldap seems to be ignoring 
what I'm trying to tell it - I've pored over the list archives and
the SLAPD Admin Guide to no avail..  I'm sure I'm doing something
very obviously silly, but I can't seem to pin point it.  I've 
compiled this fresh for an essentially redhat 5.x linux box.

Boiled down, my slapd.conf contains these lines:

defaultaccess none

access to dn=".*"
   by * none

At various times it contained only the defaultaccess none line and
at other times it had some other more specific lines in it.  But
no matter what I do, if I try and connect anonymously I can always
see everything.

At first I had attempted to cut access to certain attrs like so:

access to attr=mail
   by self write
   by * none

and various iterations like that, but no matter what, I could always
get everything anonymously.  

Giving slapd a -d128 option, I get these lines, which seem relevant:

ACL: access to dn=.*
        by dn=.*

slapd starting


=> acl_get: entry (cn=Someone New5, ou=Group, o=Foo, c=US) attr (objectclass)
<= acl_get: no match

=> acl_access_allowed: search access to entry "cn=Someone New5, ou=Group, o=Foo, c=US"

=> acl_access_allowed: search access to value "PERSON" by ""
<= acl_access_allowed: granted by default (no matching to)

=> access_allowed: exit (cn=Someone New5, ou=Group, o=Foo, c=US) attr (objectclass)

What am I doing wrong?  Can I provide any other information?

Thanks for any help!


felix sheng                                           ... felix@deasil.com

PGP: <http://wwwkeys.us.pgp.net:11371/pks/lookup?op=get&search=0x2CA84A01>