[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACLs



On Fri, Aug 31, 2018 at 08:23:37AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, August 30, 2018 3:17 PM -0500 Bill Bradford <mrbill@mrbill.net> wrote:

 by dn="cn=Manager,dc=domain,dc=com" write
This should also be dn.exact

I'll fix that.  but this user (rootDN) has the required privs and
already works fine so far for a couple of years now.

 by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
Are you sure this is the DN returned by ldapwhoami?

I'm not logging in to a Linux box as this user; I'm using this DN as
credentials (in Apache Directory Studio, ldapsearch, etc) and connecting
just fine - just not with the ability to read other user's passwords.

Past that, I'd suggest you test with slapacl and potentially ACL level debugging.

See reply I just sent to Jason about slapacl not behaving.
Thanks.  I hope to be able to hammer this out today.  My end result is
to have a user with all the privs of the RootDN, but as "read-only" and
without the ability to make any changes - so that we don't have to give
out the RootDN and password to apps that want to authenticate against LDAP.

Bill

--
Bill Bradford
Houston, Texas USA