[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL



I would like to un-subscribe please
Thanks,
Hélène

Tony Earnshaw a écrit :

> tir, 2003-01-28 kl. 00:39 skrev Emmanuel Blot:
>
> > slapd still seems to require access to the 'entry' attribute to perform the search.
> > I've added:
> > access to attr=entry
> >        by users read
>
> Dunno, I'm afraid. I don't use this and don't know anyone else who does.
> 'man slapd.access' would seem to indicate that by doing this, you are
> also blocking access to the entry's children, since the default at this
> point is 'stop'. Though that's my interpretation and could be wrong.
>
> F.ex., I don't have any 'entry' pseudo attribute  and "it works for me".
> At a certain point I =do= have a 'children' pseudo attribute, but that's
> comparatively deep down in a sub-tree, once everything else has been
> satisfied.
>
> By filtering things like 'sn' and 'cn', you're only making everything
> doubly difficult for yourself. Why don't you just start with a
> bare-bones ACL and add what you want, one thing at a time, till it
> breaks? That's the way I do it.
>
> BTW, your log level gives interesting results that I haven't seen
> before. What log level is it?
>
> Best,
>
> Tony
>
> --
>
> Tony Earnshaw
>
> When all's said and done ...
> there's nothing left to say or do.
>
> e-post:         tonni@billy.demon.nl
> www:            http://www.billy.demon.nl