[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule: getting crazy with it.

Simone Taliercio wrote:
> access to *
>         by self write
>         by anonymous auth
>         by users search
> The only way to workaround that issue is removing any ACL or leaving "by users
> read".

Looking at the ACL above you likely run into a misunderstanding.

You should carefully read slapd.access(5). Especially the very important
section "THE ACCESS DIRECTIVE" describes significance of order of <what> and
<who> clauses and that the checking stops at the first matching <what> and
<who> clause (if control flow is not explicitly redirected).

Given the example above you might rather want this:

access to *
        by self write
        by users search
        by * auth


Also it's very handy to run slapd -d stats,acl [..other params..] to get ACL
debugging displayed on console.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature