[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with ACL

To: Giri Raichur <gzzr@lanl.gov>
Subject: Re: help with ACL
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Tue, 26 Oct 1999 09:36:22 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3815C58C.5C3BE749@lanl.gov>
References: <3.0.5.32.19991025154607.0095cad0@localhost> <3.0.5.32.19991025220647.00982100@localhost>

At 09:15 AM 10/26/99 -0600, Giri Raichur wrote:
>"Kurt D. Zeilenga" wrote:
>
>> At 10:38 PM 10/25/99 -0600, Giridhar Raichur wrote:
>> >> >1. Disable anonymous access (NULL bind entry)
>> >>
>> >> Set default access to none and add:
>> >>      by dn="" none
>> >
>> >I tried to do just that but that seems to prevent all searches.
>> >Here's what I have in my access list -
>> >
>> >defaultaccess none
>> >
>> >access to dn=".*, o=Los Alamos National Laboratory, c=US"
>> >       by dn="" none
>> >       by dn=".*, o=Los Alamos National Laboratory, c=US" read
>> >       by *    none
>>
>> s/, /,/g above so that the DN regex will able to match the
>> normalized DNs of your entries.
>>
>
>I did what you suggested but with the same result. It works OK if
>I comment out
>"defaultaccess none" or when I make default access "read".

Sorry, I forgot that dn="" doesn't work in OpenLDAP 1.2.
Instead, you need to use dn="^$$" to match anonymous uses.
(Yes, two $$).  So,

access to dn=".*,o=Los Alamos National Laboratory,c=US"
	by dn="^$$" none
	by dn=".*,o=Los Alamos National Laboratory,c=US" read
	by *    none

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Follow-Ups:
- Re: help with ACL
  - From: Giri Raichur <gzzr@lanl.gov>

References:
- Re: help with ACL
  - From: "Kurt D. Zeilenga" <kurt@boolean.net>
- Re: help with ACL
  - From: "Kurt D. Zeilenga" <kurt@boolean.net>
- Re: help with ACL
  - From: Giri Raichur <gzzr@lanl.gov>

Prev by Date: Re: help with ACL
Next by Date: Re: help with ACL
Index(es):
- Chronological
- Thread