[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user they can modify passwords

On Thu, 12 Jun 2008, Sven Buchstaller wrote:

i need an user "it" they can modify on my ldap the passwords for all users.
atm my settings in the acl.conf are:
can i do like this:
access to dn.subtree="ou=users,dc=server1,dc=intern"
by self write
by dn="uid=intern,ou=users,dc=server1,dc=intern"
by * read
by dn="uid=it,ou=users,dc=server1,dc=intern"
by * write

1. best practice is to write "dn.exact" if that's your intention.
2. you have no <access> fields for uid=intern nor uid=it.
3. two "by *" rules are irrelevant, only one can fire (in the absence of any <control> fields)
4. most most most importantly, order matters. so those last two lines are never reached, "by * read" matches all first.

Please read slapd.access(5) man page entirely and carefully.