[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: olcAccess problem



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/06/2011 01:47 PM, Aurélien Lafranchise wrote:
> Hi,
> 
> On my olcDatabase={1}bdb,cn=config I added an ACL :
> {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read  by
> * auth
> 
> I don't understand why I have to add by * auth to allow the two previous
> users to be logged in ?

Most of the time when connecting to the ldap server, your connection
starts unauthenticated and you are an anonymous user. To be able to
authenticate via simple bind, the account's userPassword attribute needs
to have an auth permission to be considered. The common thing to do is
adding this as the first acl in the list:

olcAccess: {0}to attrs=userPassword by self write by * auth

If you want replication of user accounts, then you need to grant an
additional privilege to the replication user to read it. Something like
that:

olcAccess: {0}to * by dn.exact="the replication user's dn" read by *
  break
olcAccess: {1}to attrs=userPassword by self write by * auth

You definitely need to read man slapd.access though.

- -- 
Ondrej Kuznik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3t4xQACgkQ9GWxeeH+cXs5GwCfUpamoPOEzal07OQ3Si1HdbgY
TEwAnitJ4xrut/mc0KTj4mUTrec3mhD/
=DPhs
-----END PGP SIGNATURE-----

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.