[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help on ACLs



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

First of all, you need to move the 'access to attr=userPassword' to the top.

ACL's are evaluated from top to bottom, and the first one that matches will 
take effect.

In your case, 'access to *' will match every entry and all attributes of every 
entry (including userPassword) so the second rule will never be reached at 
all.

> I have these in slapd.conf
>
> access to *
>         by self write
>         by users read
>         by dn.base="cn=admin,dc=domain,dc=com" write
>         by anonymous auth
>
> access to attr=userPassword
>         by self write
>         by dn.base="cn=admin,dc=domain,dc=com" write

Furthermore, you should move the 'by anonymous auth' from the first rule to 
the second rule (and of course, then place the second rule to the top).

Authentication happens anonymous against the userPassword!

>
> I want to restrict access to userPassword for other users. Appreciate any
> help.

That will do the trick. No one can access the userPassword, except 'self' and 
the admin, who both can write, and anonymous, who can auth.

access to attr=userPassword
        by self write
        by dn.base="cn=admin,dc=domain,dc=com" write
        by anonymous auth

access to *
         by self write
         by users read
         by dn.base="cn=admin,dc=domain,dc=com" write

That should do it. It's very good of you that you specified 'dn.base' and not 
just 'dn' which defaults to 'dn.regex', since dn.regex will match ANY dn with 
the string 'cn=admin,dc=domain,dc=com' in it 
(so, also 'uid=user1,cn=admin,dc=domain,dc=com' !)

Hope that helps,
ace

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAAPQYy7boE8xtIjURAje3AJwNrhNBjta0sqtjBRSRZe2vI1PLVwCgojEC
b0jc5PtIzJCK5xeEDtu8h1c=
=+nms
-----END PGP SIGNATURE-----