[Date Prev][Date Next] [Chronological] [Thread] [Top]


Hi Owen,
thanks for the explanation!
Now everything woks fine with these options:
 access to dn.subtree="o=Administrators,dc=<base>"
        by anonymous auth
access to dn.subtree="dc=<domain_1>,dc=<base>"
        by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
access to dn.subtree="dc=<domain_2>,dc=<base>"
        by dn="cn=Administrator1,ou=<domain_2>Administrators,o=Administrators,dc=<base>" write

Thank you!

2010/3/19 Owen Marshall <omarshall@facilityone.com>
On Fri, 2010-03-19 at 12:54 +0100, Carlo Pradissitto wrote:
> access to * by * write
> #access to dn.subtree="dc=<domain_1>,dc=<base>" by * write
> #access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write

With no access stanza, OpenLDAP defaults to:

access to *
      by anonymous  read
      by *          none

As soon as you assign an access stanza, this default goes away.

As it stands, you are not giving Administrator1 any permission to bind.
Your access stanza doesn't mention anything under the administrative

At the very least, you will need something like:
access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind

You *will* need to fine-tune this. ;-)

Some decent information on ACLs can be found at

Also, set debug level 128 to view ACL processing -- this will be
invaluable to you.

Owen Marshall
omarshall@facilityone.com | (502) 805-2126