[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Usage of groups in an access control

I think you should also have a look on the order of you ACLs. If you place a "access to *" before a "access to dn.children" the second will not be evaluated (if there is no "break"...)



access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write
        by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read
        by * none

I searched around and changed dn.children by dn.subtree and dn.one but the result is the same. I can read the entries but I cannot insert or delete an entry. I can only do this with admin but only if the line for admin is defined. What did I do wrong or understood wrong? I tried to find the answer on the internet but was not able :(

OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39)
Debian 6.0.6