[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help with 2.4 ACLs
Duncan Brannen wrote:
>
>
> An upgrade from 2.3.38 to 2.4.7 seems to have caused my acls to stop
> working in that anonymous users can no longer search the tree to find
> their entry to authenticate.
>
>
> With an acl of
>
> access to dn.base="" by * read
>
> access to dn.base="cn=Subschema" by * read
>
> access to dn.subtree="ou=People,dc=st-andrews,dc=ac,dc=uk"
> by * read
>
> access to *
> by users read
> by anonymous auth
>
> All anonymous searches get insufficient access returned
>
> Logging of ACls shows
>
> => slap_access_allowed: search access denied by auth(=xd)
>
> Any thoughts on what extra I need for this to work in 2.4?
Your ACLs are broken. In fact, by moving the "by * auth" into the last
rule, you prevent auth'ing for any user whose credentials match any of
the previous rules. Either you add "by * auth" to all rules matching
potential credentials, or you place a
access to attrs=userPassword
by * auth
before any rule that matches potential credentials (note that you may
need to enhance the above if any user must be able to change its own
password).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------