[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control

I just got this to work (FINALLY!!). I added:

access to attrs=userpassword
        by * auth

to the top of my access declarations. Anyone know why this is required?


On Fri, 2002-12-27 at 21:27, Matty wrote:
> Howdy folks,
> I have been mucking with Access Control for the past day and 1/2, and
> cannot seem to get a cn to authenticate. I created several
> contact objects, and a cn named email [1] which I want to allow
> read/write access to a specific branch of my DIT. After reading through
> the docs on www.openldap.org, I thought:
> access to dn="ou=contacts,dc=dom,dc=com"         
>         by  dn="cn=email,dc=dom,dc=com"  write
> would allow email to read/write to the contacts branch of the tree. When
> I run ldapsearch:
> $ ldapsearch -h ldap.dom.com -LL -D 'cn=email,dc=dom,dc=com' -b
> 'ou=contacts,dc=dom,dc=com' '(cn=*)'
> I get:
> Bind Password:
> ldap_simple_bind_s: Insufficient access
> Anyone happen to know what I am missing? I have experimented with
> various things I found on google, but so far, no luck :(
> Thanks for any insight,
> Ryan
> [1]
> dn: cn=email,dc=dom,dc=com
> objectClass: top
> objectClass: organizationalRole
> objectClass: simpleSecurityObject
> cn: email
> description: User allowed to update the contacts tree
> userPassword: (MD5)94cc0f2c4100623b4efc85a534b7cd2a
Ryan Matteson - UNIX Administrator
GPG ID: 1B52A210 2002-12-01 Ryan Matteson (Primary Key Pair)
Public Key: http://www.daemons.net/~matty/public.asc
Detached Digital Signature: http://www.daemons.net/~matty/public.sig.asc
Fingerprint = A0B1 298E 29C4 3F26 01D5  EDFC 3D62 281F 1B52 A210