[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Permissions error

To: Matt Juszczak <matt@atopia.net>
Subject: Re: Permissions error
From: Jon Roberts <jon@jonanddeb.net>
Date: Wed, 06 Apr 2005 16:32:25 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <425433A8.8040601@atopia.net>
References: <425433A8.8040601@atopia.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Matt Juszczak wrote:

Here is my slapd access portion. The members of the admin group aren't able to write; however, even though I have a rule saying they can. I have to add a access to * by * to be able to write at all. Any ideas?

...

access to *
       by group.exact="cn=admin,dc=dandy,dc=net" write
       by group.exact="cn=techs,dc=dandy,dc=net" read
       by self write
       by users read
       by anonymous auth
       by * break

# Allow only user to change its password
access to attr=userPassword
       by group="cn=techs,ou=groups,dc=dandy,dc=net" write
       by self write
       by anonymous auth
       by * none

This may not answer your question, but one thing you should do is reverse the order of these rules, otherwise the second will never be reached. See:

http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control%20Evaluation

and note:

"Slapd stops with the first <what> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access."

Jon Roberts
www.mentata.com

Follow-Ups:
- Re: Permissions error
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Permissions error
  - From: Matt Juszczak <matt@atopia.net>

Prev by Date: Re: ldapmodify on multiple dn's
Next by Date: Re: Permissions error
Index(es):
- Chronological
- Thread