[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: aci

On Tue, Feb 26, 2002 at 12:45:26PM +0530, Raghu Babu wrote:
> Hi,
> Yes we need aci for keeping dynamic permission at  the runtime of ldap
> server without restarting server, the right should get activted
> I have tried the solution with your approach but still I am not able to
> authenticate to ldap server.
> The following entry I added in ryagnik

> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=admins,ou=groups,o=waterford.org

> also I created group by name cn=Admins,ou=groups,o=waterford.org
> & added ryagnik as member to that group
> I also tried

>    OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#self
>    OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#access-id#uid=ryagnik,ou=people,o=waterford.org
> But still I was not able to authenticate ryagnik to ldap server I am
> getting the error insufficient access rights
> I think it's related with anonymous rights for ryagnik
Yes, you are right I forgot about that. In order to authenticate against an
entry you need give "auth" access to the "userPassword"-Attribute of that
Entry, to the user "anonymous". So your ACLs would look like this: 

access to attr=userPassword
    by self write
    by anoymous auth
    by * none                   <- You may want to add a "break" statement 
                                   here, if you want to give access to the
access to *                        "userPassword"-Attribute for other users
    by aci write                   through the ACI.

Ralf Haferkamp

SuSE GmbH                                        - The Linux Experts -
Deutschherrnstrasse 15-19                         http://www.suse.com
D-90429 Nuernberg, Germany                        Tel: +49-911-74053-0