Re: ACL confusion

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:46 PM 6/24/99 -0400, Nicholas Riley wrote:
>Hi,
>
>I've been trying to set up ACLs with OpenLDAP's slapd.conf. I've 
>looked at the mailing list archives, and tried everything I could 
>find suggested there, done several hours worth of trial and error, 
>and really had a great lack of success.
>
>What I want to do is make one user, Netscape Server Admin, able to 
>perform full additions and updates on any record, and make all 
>attributes but passwords accessible to the public.
>
>Here are portions of my slapd.conf:
>
>>rootdn          "uid=root,ou=Staff,o='Invantage, Inc.',c=US"

That's not a valid DN (per RFC1779) and will likely cause problems.
Namely, the "," in o='Invantage, Inc.' must be quoted using an
approved mechanism.  "'" character is NOT a quote character.

I suggest avoiding DNs that require quoting.  I'd also suggest
avoid using "'" in DNs as they are misleading.

>>access to       attr=userpassword
>> by self        write
>> by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US" write
>> by dn="cn=Netscape Server Admin,o='Invantage, Inc.',c=US" write
>> by *           compare
>>
>>access to       *
>> by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US" write
>> by dn="cn=Netscape Server ,o='Invantage, Inc.',c=US" write
                            ^
typo: s/cn=Netscape Server /cn=Netscape Server Admin/


I suggest fixing these first.   If you have further problems,
be sure to provide a log details with TRACE and ARGS enabled
in addition to ACLS, ie: -d 1 -d 4 -d 128  OR -d 133.

Kurt