[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Quering the server

To: Gavin Henry <ghenry@suretecsystems.com>
Subject: Re: Quering the server
From: Craig Dunigan <cdunigan@doit.wisc.edu>
Date: Tue, 11 May 2004 08:54:23 -0500 (CDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200405110841.53945.ghenry@suretecsystems.com>

Hi Gavin,

I think you may have misunderstood Kurt's reply.

> > implicit in all access control lists:
> >         access to * by * none
> 

He means that the default for all access control lists is 'access to * by 
* none'.  That means if you write nothing, 'access to * by * none' is 
assumed.  That means it's *always* there, whether you write it or not.

> I added the above line to the auth list. Is this correct.

If by this you mean you literally added the line 

access to * by * none

to your slapd.conf, then no, it's not correct, and yes, you did
misunderstand.  It would never need to be added, it's always implied.  
What needs to happen is that you include some directive that contravenes
that one.  Perhaps some variant of 

access to dn.base="dc=example,dc=com" 
       filter="namingContexts=*" 
       by anonymous read

if all you want to do is be able to read namingContexts from an anonymous
bind.  Not absolutely sure of the 'dn.base' or the filter syntax, you
should check it with others more experienced than me.

> >
> > >defaultaccess read
> >
> > extraneous directive.
> And deleted this one. Should I RTFM a bit more?

Access control is tricky.  Yes, we should *all* RTFM more.  At least I 
know I should.  :)

-- 
Craig Dunigan
IS Network Services Specialist
LDAP - Middleware - DoIT
University of Wisconsin  - Madison
cdunigan@doit.wisc.edu

References:
- Re: Quering the server
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: Re: A couple of questions about openldap on MacOS X Panther
Next by Date: Re: Move From Redhat 7.3 to redhat ES 3.0
Index(es):
- Chronological
- Thread