[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf - acl question



We are on 2.1.22 and I appear to have an acl problem. I have one access
line (for test purposes) in my slapd.conf file with one db (bdb):

access to attr=sn
	by * read

When you do this, you don't have access to anything but attr=sn. So you can't see any attributes like uid=douglas or anything else in the directory. For every ACL you write, there's an invisible "access to * by * none" at the end, so if there's no match anywhere in the ACL, you don't have any access.

I just did another test. In slapd.conf I have:

access to *
	by * read

access to *
	by * none

ACL's work by a first match and out. Once a match is made, we leave the ACL, and no other analysis is done. In this case, you are allowing read-only access to everything, so the second line will never be reached no matter what you place there.

I would think this would turn everything on then everything off, yet when I do a ldapsearch, I can see ALL attributes of who I look at. If I try it with no access line, then the default takes over that gives read access to anonymous.

My main question is the one at the beginning, why if I have one access
line of:

access to attr=sn by * read

not appear not to work?


This link might be helpful to you - I've found it helpful.


Matt Richard
Access and Security Coordinator
Franklin & Marshall College