access to dn.subtree="o=Administrators,dc=<base>"
by anonymous auth
access to dn.subtree="dc=<domain_1>,dc=<base>"
by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
access to dn.subtree="dc=<domain_2>,dc=<base>"
by dn="cn=Administrator1,ou=<domain_2>Administrators,o=Administrators,dc=<base>" write
Thank you!
Carlo
2010/3/19 Owen Marshall
<omarshall@facilityone.com>
On Fri, 2010-03-19 at 12:54 +0100, Carlo Pradissitto wrote:
> access to * by * write
> #access to dn.subtree="dc=<domain_1>,dc=<base>" by * write
> #access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
With no access stanza, OpenLDAP defaults to:
access to *
by anonymous read
by * none
As soon as you assign an access stanza, this default goes away.
As it stands, you are not giving Administrator1 any permission to bind.
Your access stanza doesn't mention anything under the administrative
section.
At the very least, you will need something like:
access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind
You *will* need to fine-tune this. ;-)
Some decent information on ACLs can be found at
http://www.zytrax.com/books/ldap/ch6/
Also, set debug level 128 to view ACL processing -- this will be
invaluable to you.
--
Owen Marshall
FacilityONE
omarshall@facilityone.com | (502) 805-2126