[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd: access control


i've some problems with the access section in the slapd.conf file.

access to dn='uid=.*, ou=people, o=test' attrs=password
	by dn='cn=rwpwd, ou=people, o=test" write
access to dn='uid=.*, ou=people, o=test' attrs=password
	by dn='cn=ropwd, ou=people, o=test" read

in my understanding of the man pages and the slapd admin guide, this should
write access for dn='cn=rwpwd, ou=people, o=test'  on the attribute passwd
of all entries
matching the dn 'uid=.*, ou=people, o=test'.
the same assumption for 'ropwd' except the restrict to read permission.

launching slapd with loglevel 192 (config, acl), i can see that the config
is parsed properly.
but a search with

	 ldapsearch -D 'cn=rwpwd, ou=people, o=test'  uid=* password

	 '<= acl_access_allowed: denied by default (no matching by).

and doesn't return the expected password list.
entries and passwords have been setup right, no ' invalid credential' ...
the defaultaccess is search because i expect SLAPD to deal with no read
permissions by default.
so in every case it should be possible to grant the necessary access without
thinking about restrictions for the rest of the database. i mean it's the
usual way to set global restrictions and grant individual permissions.

it would be great to get some useful hints

best regards