[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL



tir, 2003-01-28 kl. 00:39 skrev Emmanuel Blot:

> slapd still seems to require access to the 'entry' attribute to perform the search.
> I've added:
> access to attr=entry
>        by users read

Dunno, I'm afraid. I don't use this and don't know anyone else who does.
'man slapd.access' would seem to indicate that by doing this, you are
also blocking access to the entry's children, since the default at this
point is 'stop'. Though that's my interpretation and could be wrong.

F.ex., I don't have any 'entry' pseudo attribute  and "it works for me".
At a certain point I =do= have a 'children' pseudo attribute, but that's
comparatively deep down in a sub-tree, once everything else has been
satisfied.

By filtering things like 'sn' and 'cn', you're only making everything
doubly difficult for yourself. Why don't you just start with a
bare-bones ACL and add what you want, one thing at a time, till it
breaks? That's the way I do it.

BTW, your log level gives interesting results that I haven't seen
before. What log level is it?

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl