Re: ACL for userPassword problems

[Christine Robertson <chris@coreng.com.au>]

On Fri, Feb 15, 2002 at 10:44:25AM +0100, Thomas Hager wrote:
> according to the openldap admin guide, giving access to attributes with
> attrs="bla" is not enough. you have to define to which entries the
> access rule applies.
> 
> try this acl:
> 
> access to "dn=.*" attrs=userPassword
>      by self write
>      by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write
>      by anonymous auth
>      by * none
> 
> tom

No, that's not it -- I've had it working with a similar setup
before.   We have several different directories -- the suffixes
are

dc=au,dc=cordoors,dc=com
dc=my,dc=cordoors,dc=com
.
.
.
dc=cordoors,dc=com

and I think the problem appeared after we split things up like
this.  The split is done so we can have each of our branches
be its own master and update the the others, except for the
top-level domain.  Access controls seem to be working fine
for eveything except the userPassword, which is the only
attribute with "* none" perms.  Our directories are lbdm,
and each has its own root dn and password specified.

What really bothers me is that I can't see the userPassword
if I bind *as that record*.  I know I am binding OK, as I
get everything else, and I have a little C program to check
binding as well.

--Chris Robertson
Corinthian Engineering