[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: granting write privileges to alternate updatedn

To: "Heinemann, Peter G" <phei@isc.upenn.edu>, openldap-technical@openldap.org
Subject: Re: granting write privileges to alternate updatedn
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 23 Oct 2018 15:01:57 -0700
Content-disposition: inline
In-reply-to: <SN1PR10MB07990C7F88BF2EC2091B819283F50@SN1PR10MB0799.namprd10.prod.outlook.com>
References: <SN1PR10MB07990C7F88BF2EC2091B819283F50@SN1PR10MB0799.namprd10.prod.outlook.com>

Hi Peter,

--On Tuesday, October 23, 2018 2:48 PM +0000 "Heinemann, Peter G"<phei@isc.upenn.edu> wrote:

access to dn.subtree="dc=university,dc=edu"
  by dn.exact="cn=grouper-admin,dc=university,dc=edu" write
  by * break


Why do you have by * break if it is the only acl?  Should just be:

access to dn.subtree="dc=university,dc=edu"
  by dn.exact="cn=grouper-admin,dc=university,dc=edu" write

However, if this is your only ACL, I'm not clear how you're going to beable to authenticate as the user unless you're doing some SASL regexpmapping? Otherwise, anonymous *must* have auth access to the userPasswordattribute for simple binds to function.

Also unclear to me how slapacl would result in "read" access vs "none" ifthat is your only ACL. It sounds like there's more at play here than thesnippets you've provided.


Warm regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- granting write privileges to alternate updatedn
  - From: "Heinemann, Peter G" <phei@isc.upenn.edu>

Prev by Date: Re: Adding read-only consumers to a Mirror Mode Replication setup?
Next by Date: Re: Permissions required to perform OU/DN filtering?
Index(es):
- Chronological
- Thread