[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl problem Insufficient access



HI


2: This is a "chicken and egg" situation. master cannot gain rights to subtrees unless he has rights to the parent(s) as well. So begin at supermaster, he will have rights, and make under-supermasters all the way down in the tree to see what happens and give them rights. How you do this depends on the software version you are using. I can't give specific advice since you, like many, refuse to say with which software version you're working. ("Openldap" isn't sufficient.) However, stick to regexps and be prepared to use more than a single one for each ACL.

I' using openldap v. 2.0.23 on a woody

access to attribute=userPassword
by dn="cn=admin,dc=exemple,dc=net" write
by dn="cn=authuser,dc=exemple,dc=net" read
by anonymous auth
by self write
by * none


this is my acl file


access to attribute=userPassword by dn="cn=admin,dc=exemple,dc=net" write by dn="cn=authuser,dc=exemple,dc=net" read by anonymous auth by self write by * none

# The admin dn has full write access
access to *
by dn="cn=admin,dc=exemple,dc=net" write

# Virual mail domain access (Courier-ldap)
access to dn=".*,o=([^,]+),o=hosting,dc=exemple,dc=net"
attr=userPassword
by self write
by group/organizationalRole/roleOccupant=\
"cn=postmaster,o=$1,o=hosting,dc=exemple,dc=net" write
by anonymous auth
by * none

# Master user access
access to dn=".*,ou=admingroup,o=([^,]+),o=domain,,dc=exemple,dc=net"
by dn="cn=master, ou=admingroup, o=$1, o=domain, dc=exemple,dc=net" write




PS:who know a good ldap's acl howto


There wasn't one when I searched last. The archives for this list are pretty good. Then there's Adam Williams' standard work (ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf.) Hints are both in 'man 5 slapd.access' (with my version) and the site Admin manual for 2.1.

I've just read it.....but it not resolved my doubts