Re: help with ACLs

[Adam Williams <awilliam@mdah.state.ms.us>]

Denis Sacchet wrote:
> As you put "by * read" anyone can read the three specified attribute, 
> delete this line, and anonymous use will be able to authenticate, the 
> node will be able to modified itself, and all other kind of users will 
> have a denied access
>
>
> > access to *
> >        by * read
>
> With this place after, all the directory will be visible by everybody 
> (including anonymous one), perhaps it should be better to put here "by 
> user read" but it just a "supposition" as I don't know what do you 
> want to do with your directory.
>
> Best regards
>
> Denis Sacchet
thanks, when I changed

access to *
      by * read

to

access to *
      by self read

and restart slapd, i can't log in properly.  the setting is too restrictive.

id: cannot find name for user ID 511
[I have no name!@roark ~]$

and when I put it as
access to *
   by user read

slapd complains that the configuration file is not valid.  I'm just 
trying to have my directory work, where users can log in to their shell 
account file, samba users can authenticate fine, and no one can see or 
change anyone else's passwords.

so now my ACL is:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
       by self write
       by anonymous auth
       by * none

access to *
       by * read