[Date Prev][Date Next]
Re: Access Control by Organizational Unit?
Heather Lockridge writes:
> I am having a problem.. I can read, but not write to
> the ldap db.
> access to * by * read
> access to * by * search
> access to *
> by self write
> by dn.base="cn=ldap-admin,o=test.com"
> by * none
Only the first matching "access to" is used. So since "access to *"
matches everything, everyone just gets read access to everything.
Similarly, when the server has determined which "access" statement to
use, the first matching "by" is used. You can override this with the
<control> field explained in 'man slapd.access', but I have never needed
Also, "read" access implies "search" access. From 'man slapd.access':
The possible levels are none, auth, compare, search, read, and write.
Each access level implies all the preceding ones
access to * by self write
by dn.base="cn=ldap-admin,o=test.com" write
by * read
_after_ all the other access statements. Except I don't see who and
what you wanted to give "none" access to, since you give "read" and
"none" access to the same <what> and the same <who>.