[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Bug in slapd's acl's with SASL (ITS#2067)
The implicit "by * none" doesn't grant access to authentication
and authorization attributes. See the Administrator's Guide
section on access control and slapd.access(5) with particular
attention to the "auth" permissions.
Kurt
At 02:20 PM 2002-09-04, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.4
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.64.13.58)
>
>
>Hello,
>
>Currently if we define our ACL's as such:
>
># ACL include file for slapd
>#
># this is specific to ldap4.stanford.edu for testing
>
>access to *
> by dn="cn=manager,dc=stanford,dc=edu" write
> by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
> by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
> by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
> by * read
>
>
>Where membership is defined in the groups using SASL with GSSAPI and regexp's,
>everything works fine.
>
>However, as soon as we remove 'by * read', we can no longer bind into our groups
>for access.