[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem in slapd.conf

To: Jonathan Clarke <jonathan@phillipoux.net>
Subject: Re: ACL problem in slapd.conf
From: Tomasz Chmielewski <mangoo@wpkg.org>
Date: Fri, 04 Sep 2009 14:35:20 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4AA108B3.3030400@phillipoux.net>
References: <4AA0E5C6.7000700@wpkg.org> <4AA10350.6080105@phillipoux.net> <4AA10521.2020305@wpkg.org> <4AA108B3.3030400@phillipoux.net>
User-agent: Thunderbird 2.0.0.23 (X11/20090830)

Jonathan Clarke wrote:

access to dn.subtree="ou=Users,dc=example,dc=com"
by dn="uid=Operator,ou=Users,dc=example,dc=com" write
by * read
by self write
by dn="uid=replica,ou=Users,dc=example,dc=com" write
by anonymous auth
by * none
Be careful - none of the "by" clauses after the 2nd ("by * read") willbe read. The first matching clause wins, and "*" matches everyone.

auth is only meaningful on the userPassword attribute, which you alreadygranted in your first ACL (well, except some implicit searches duringbind, but this is a rare case).

Thanks for an explanation - it's now more clear to me how these rulesare processed.


--
Tomasz Chmielewski
http://wpkg.org

References:
- ACL problem in slapd.conf
  - From: Tomasz Chmielewski <mangoo@wpkg.org>
- Re: ACL problem in slapd.conf
  - From: Jonathan Clarke <jonathan@phillipoux.net>
- Re: ACL problem in slapd.conf
  - From: Tomasz Chmielewski <mangoo@wpkg.org>
- Re: ACL problem in slapd.conf
  - From: Jonathan Clarke <jonathan@phillipoux.net>

Prev by Date: Re: ACL problem in slapd.conf
Next by Date: Re: OpenLDAP and SASL
Index(es):
- Chronological
- Thread