[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: olcAccess problem


Thanks you very much, it was a very clear.

I already have the Administrator Guide 2.4 and it was not clear in it (as the way to configure it the first time).


Aurélien Lafranchise | Consultant
Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11

2011/6/7 Ondrej Kuznik <ondrej.kuznik@acision.com>
Hash: SHA1

On 06/06/2011 01:47 PM, Aurélien Lafranchise wrote:
> Hi,
> On my olcDatabase={1}bdb,cn=config I added an ACL :
> {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read  by
> * auth
> I don't understand why I have to add by * auth to allow the two previous
> users to be logged in ?

Most of the time when connecting to the ldap server, your connection
starts unauthenticated and you are an anonymous user. To be able to
authenticate via simple bind, the account's userPassword attribute needs
to have an auth permission to be considered. The common thing to do is
adding this as the first acl in the list:

olcAccess: {0}to attrs=userPassword by self write by * auth

If you want replication of user accounts, then you need to grant an
additional privilege to the replication user to read it. Something like

olcAccess: {0}to * by dn.exact="the replication user's dn" read by *
olcAccess: {1}to attrs=userPassword by self write by * auth

You definitely need to read man slapd.access though.

- --
Ondrej Kuznik
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.