[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question

To: openldap-software@OpenLDAP.org
Subject: Re: ACL question
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 28 Jun 2004 14:27:01 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <40E002B0.2020207@agora.msa.fr>
References: <1499.1088412276@www29.gmx.net> <40E002B0.2020207@agora.msa.fr>
User-agent: SquirrelMail/1.4.3a-1

> Why is the to empty ? I'm not sure it's the problem but you shall write
> "access to * attr=userPassword"
> consider reading slapd.access man page
> <http://www.openldap.org/software/man.cgi?query=slapd.access&sektion=5&apropos=0&manpath=OpenLDAP+2.2-Release>.

Actually, the "*" in that rule is implicit.  The "*" is a special value of
the "dn" pattern, and the "dn", the "filter" and the "attrs" forms can
appear in combination, to restrict the match.  At least one must be
present, so the "*" is implied if no pattern is given, as well as all
attributes are implied if no "attrs" is given, and a filter of
"(objectClass=*)" is implied if no filter is given.  This is discussed at
the end of the "<what>" section of slapd.access(5):

       The dn, filter, and attrs statements are additive; they can be used
 in
       sequence  to select entities the access rule applies to based on
naming
       context, value and attribute type simultaneously.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ACL question
  - From: "Mario Ohnewald" <mario.Ohnewald@gmx.de>
- Re: ACL question
  - From: "Alexandre Garel" <garel.alexandre@agora.msa.fr>

Prev by Date: Re: how to make solaris 8 authenticate to an external openldap server
Next by Date: Replication Problem
Index(es):
- Chronological
- Thread