Re: phpldapadmin Config

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, July 13, 2004 1:41 PM -0400 Josiah Ritchie 
<jritchie@bible.edu> wrote:

> Tried those searches above and they didn't work so I went with
> commenting out the ACLs and adding in "access to * by * write" and
> things started working as expected.
>
> Now I need to rewrite my ACLs I guess. Here's what I have:
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> access to *
>         by self write
>         by users read
>         by anonymous auth
> access to dn=".*,dc=cougarnet,dc=bible,dc=edu" attr="userPassword"
>         by dn="cn=Manager,ou=people,dc=cougarnet,dc=bible,dc=edu" write
>         by dn="cn=samba,ou=People,dc=cougarnet,dc=bible,dc=edu" write
>         by self write
>         by * auth
>
> Looks to me like "access to * by anonymous auth" and "access to dn="..."
> attr="userPassword by * auth" should allow this, but obviously I'm
> wrong.
>
> Thanks for helping me out with this. It's good to know that we now know
> what the problem is and seems like it should be easy to fix with a bit
> more knowledge on my part. Appreciate it.
>
> Does dn.base="" equate to dn=".*,dc=cougarnet,dc=bible,dc=edu"?

ACL's always stop at the first applicable stop, unless the ACL has a break 
statement.

So your "access to *" ACL is where everything will stop, nothing past that 
will be read.

If you add:

	by * break

to it, you should start getting different results.

You may wish to read:

<http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl.html>

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html