[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proper ACL's?



Am 01.08.2003, 21:16 Uhr schrieb Brian:
-----------------------------------
>I'm having what must be a really simple issue with ACL's in OpenLDAP and
>allowing users to authenticate with ssh.  If I have no ACL's, it works
>fine.  If I put in something like this:
>
>access to dn="" by * read
>access to attr=userpassword
>   by self write
>   by anonymous auth
>
>access to *
>    by self write
>    by users read
>
>Then users can't authenticate with ssh.

I don't know much about OpenLDAP, and almost nothing about ssh-
authentication with OpenLDAP, but: Are you aware that the
access directives are parsed from top to bottom, and that *only*
the *first* matching rule is applied?
(see: http://www.openldap.org/doc/admin21/slapdconfig.html#Access Control,
paragraph "5.3.4. Access Control Evaluation")

I can't say that I understand what
     access to dn="" by * read
means (haven't read all of the OpenLDAP admin guide), but maybe you should
try to change the order of the access directives?

Regards,
     Hon.