[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

Quanah wrote:
> No it is not the same thing.  It looks like you are using 2.0 and I'm using
> 2.1, so I don't think it applies in your case.  Anyhow, as I noted, "entry"
> doesn't exist in anything, therefore giving read to entry by * does nothing
> security wise.  However, if I wanted to say, give access to uid, and
> someone didn't have access to read entry, they couldn't read the contents
> of uid, even if I said access to uid by * read.  I also have the dn."" read
> entry in my slapd.conf.  I still required the access to entry by * read bit
> as well.

Yes, I am using 2.0...

And no, it's not getting any clearer... My openldap 1.3 with qmail-ldap works 
fantastically, though, for the past two or 3 years. Now, after all this 
confusion, I am really doubting if I should upgrade (to 2.0.27 that is, let 
alone 2.1.x !)

Actually, due to incomprehensible ACL's, I have dropped the project in October 
2002 only to return to it in February 2003, with much the same frustrations 
and, although I feel I am lot closer to a solution, still without a working 
version. The persons who ' own' me are getting weary of my excuses, and ask 
me to either install the previous working version, or just leave out all 
ACL's. The latter might be really secure ;-) since all the traffic comes from 

Anyway, I am getting a good nights sleep and tomorrow we'll see again.


> --Quanah