[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Can I do this with OpenLDAP acls?
> access to attr=userPassword
> by dn="cn=Manager,dc=justthe,dc=net" write
> by self write
> by anonymous read
> by * auth
>
> access to *
> by dn="cn=Manager,dc=justthe,dc=net" write
> by anonymous read
> by self read
Pal, your ACLs are screwed wild. Anonymous can READ the password,
and everything else, but bound users have limited privileges!
First of all, do us a favour, and set them to
access to attr=userPassword
by dn="cn=Manager,dc=justthe,dc=net" write
by self write
by * auth
access to *
by dn="cn=Manager,dc=justthe,dc=net" write
by self read
If, as I suspect, "cn=Manager,dc=justthe,dc=net" is you rootdn,
you don't need to give it write access --- it's set by default,
otherwise there would be no need to define a rootdn, a regular
user would suffice.
I think this is written in red, blinking everywhere in the docs,
and even in the sample slapd.conf that comes with the software.
But this is my guess, and I might be wrong; in that case, please
excuse me.
To answer your question, you may give read permission to "users",
or read permissions to the specific DN you want to make able to
read other entries. IN the first case add a
by users read
line to the ACLs that match the specific entry you want to give
access to; in the latter, add a
by dn.exact="<some dn>" read
Hope it helps. Note that 2.2's slapd.access(5) man page shows
plenty of details about ACL issues; the FAQ
http://www.openldap.org/faq/data/cache/189.html
contains a bit of info, some of which might be slightly out of
date, but still basically correct.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it