[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question

Tim Gustafson wrote:
Similarly, other ACLs after this one may grant access to cn=log. Your current ACL only grants read access to the group ldap-admins. It doesn't specify rights for other users. Explicitly deny access to others like this

I tried that as well and got the same result. Also, the man page says that each "access to" stanza is implicitly terminated by a "by * none", so specifying this seems to be unnecessary.

Absolutely. My bad.

A few things you could check here:
1) If this ACL is in the global context, per-database ACLs will precede it. They may be giving read access.
2) Run with loglevel ACL. The log will detail ACL evaluation, and you'll see exactly which ACL grants access.