[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Permissions error



At 02:53 PM 4/6/2005, Quanah Gibson-Mount wrote:


>--On Wednesday, April 06, 2005 4:32 PM -0500 Jon Roberts <jon@jonanddeb.net> wrote:
>
>>Matt Juszczak wrote:
>>>Here is my slapd access portion.  The members of the admin group aren't
>>>able to write; however, even though I have a rule saying they can.  I
>>>have to add a access to * by * to be able to write at all.  Any ideas?
>>...
>>>access to *
>>>       by group.exact="cn=admin,dc=dandy,dc=net" write
>>>       by group.exact="cn=techs,dc=dandy,dc=net" read
>>>       by self write
>>>       by users read
>>>       by anonymous auth
>>>       by * break
>>>
>>># Allow only user to change its password
>>>access to attr=userPassword
>>>       by group="cn=techs,ou=groups,dc=dandy,dc=net" write
>>>       by self write
>>>       by anonymous auth
>>>       by * none
>>
>>This may not answer your question, but one thing you should do is reverse
>>the order of these rules, otherwise the second will never be reached. See:
>>
>>http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control%20E
>>valuation
>>
>>and note:
>>
>>"Slapd stops with the first <what> selector that matches the entry and/or
>>attribute. The corresponding access directive is the one slapd will use
>>to evaluate access."
>
>Why would it stop?  He has "by * break" which means that slapd will continue to evaluate the next set of ACL's.

If it gets to the "by * break" clause.  But the two
preceding closes ensure that the "by * break" clause
is never reached.  That is, users+anonymous == *

Kurt