[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Write access error with GSSAPI on OpenLDAP 2.2.26


Please take a look at section 5.3.4 of the OpenLDAP Administrator's Guide ( http://www.openldap.org/doc/admin23/slapdconf2.html#Access% 20Control ), "Access Control Evaluation". This material is not in the slapd.access(5) man page nor any of the other man pages it points to.

This says, "Slapd stops with the first <what> selector that matches the entry and/or attribute." which means it will stop when it finds the first of your list and if the <who> associated with that one doesn't fit the requester, it will apply the default. The other directives will never be evaluated. That's why Quanah's suggestion is correct.

This section is very helpful in understanding how to construct and order your access directives. Hope this helps.


On Jul 14, 2005, at 7:44 AM, Quanah Gibson-Mount wrote:

--On Thursday, July 14, 2005 6:42 PM +0800 John Mok <jmok@attglobal.net> wrote:

access to *
    by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write
access to *
    by dn="uid=john/admin,cn=GSSAPI,cn=auth" write
access to *
    by * read

This should be one statement:

access to * by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write by dn="uid=john/admin,cn=GSSAPI,cn=auth" write by * read


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin