[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Usage of groups in an access control

To: Marco de Booij <marco.maillist@debooy.eu>
Subject: Re: Usage of groups in an access control
From: Markus Widmer <markus.widmer@daasi.de>
Date: Mon, 28 Jan 2013 09:02:07 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <51050765.6080600@debooy.eu>
References: <51050765.6080600@debooy.eu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130124 Thunderbird/17.0.2

I think you should also have a look on the order of you ACLs. If youplace a "access to *" before a "access to dn.children" the second willnot be evaluated (if there is no "break"...)


Cheers,

    -Markus-

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write
        by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read
        by * none
I searched around and changed dn.children by dn.subtree and dn.one butthe result is the same. I can read the entries but I cannot insert ordelete an entry. I can only do this with admin but only if the linefor admin is defined. What did I do wrong or understood wrong? Itried to find the answer on the internet but was not able :(
OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39)
Debian 6.0.6

Regards,

Marco

References:
- Usage of groups in an access control
  - From: Marco de Booij <marco.maillist@debooy.eu>

Prev by Date: Re: Usage of groups in an access control
Next by Date: Re: Usage of groups in an access control
Index(es):
- Chronological
- Thread