[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: adding access control for replication user
On Sun, 18 Apr 2004, Pierangelo Masarati wrote:
> > On Sun, 18 Apr 2004, Pierangelo Masarati wrote:
> >
> >> > Thanks that does make things work, I did in fact have something
> >> similar exept it was more like ...
> >> >
> >> > access to attrs=userPassword
> >> > by dn="<your replicator's DN>" write
> >> > by self write
> >> > by * auth
> >>
> >> Likely you added a last directive of the form
> >> access to *
> >> by dn.exact="<your replicator's DN>" write
> >>
> >> This by default implies that anonymous users can't read "*".
> >>
> >> If your intention is that everything that's not explicitly
> >> protected by ACLs must be readable by all including anonymous,
> >> then add a last directive of the form
> >>
> >> access to *
> >> by dn.exact="<your replicator's DN>" write
> >> by * read
> >>
> > rats when I run ldapsearch -x it still will not work.
> >
> > Here is my acl
> > <snip>
> > access to dn="" by * read
> > access to *
> > by self write
> > by users read
> > by anonymous auth
> > by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
> > by * read
> > </snip>
>
> ACL <who> clauses are tested in order; anonymous, besides being not
> required in your example, comes before *, so anonymous only gets auth
> permission. Note that auth permission is meaningful only for auth tokens,
> i.e. userpasswords, so there's no reason to give anybody auth permission
> to anything else. Please stick with my initial example:
>
> access to attrs=userPassword
> by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
> by self write
> by * auth
>
> access to *
> by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
> by * read
>
Thanks very much for your excellent help and making this clear to me. It
works perfectly now and I should be able to correctly expand my rules in
the future.