[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[Fwd: Re: Access controls not working, exactly]
-------- Original Message --------
Subject: Re: Access controls not working, exactly
Date: Tue, 16 Nov 1999 11:04:15 -0500
From: Sven <sven@staff.mail.com>
Organization: Mail.com
To: Marco Ferrante <ferrante@unige.it>
References: <199911160801.JAA06182@igecuniv.csita.unige.it>
Marco Ferrante wrote:
> We need a exact copy of your slapd.conf to do a diagnosis (you can change
> names, obviuosly), but sometimes errors are very hard to recognize.
>
> Date sent: Mon, 15 Nov 1999 17:39:00 -0500
> From: Sven <sven@staff.mail.com>
> Organization: Mail.com
> To: openldap-software@OpenLDAP.org
> Subject: Access controls not working, exactly
>
> > I have put in access to ... by lines in the slapd.conf but the
> > permission still seem to be the same for anonymous logins
> > and authenticated logins. I've tried a bunch of different
> > permutations of the "access to ..." directive. eg1. access to
> > dn=".*,o=XYZ,c=US" by group="cn=Group,o=XYZ,c=US" read by * none
> >
> > results in neither the groupmembers nor anonymous
> > authentications being
> > able to read
> >
> > eg. access to dn=".*,o=XYZ,c=US" by group="cn=Group,o=XYZ,c=US"
> > read
> >
> > results in both the groupmembers nor anonymous
> > authentications being
> > able to read
> >
> > Need help
> >
>
> --------------------------------------------------------
> Marco Ferrante (ferrante@unige.it)
> CSITA (Centro Servizi Informatici e Telematici d'Ateneo)
> Università degli Studi di Genova - Italy
> Viale Brigata Salerno - 16147 Genova
> tel (+39) 0103532621 (interno tel. 2621)
> --------------------------------------------------------
I finally got it working after trying every possible permutation. It's
not
exactly how I wanted it set up, which was using group access controls
(access to dn=".*,o=XYZ,c=US" by group="cn=Group,o=XYZ,c=US" read).
Instead I am using:
access to dn=".*ou=Department,o=XYZ,c=US" by
dn=".*,ou=Department,o=XYZ,c=US" read
which works, denying anonymous logins and allowing only rdn's in the
Department division to access entries in the Department.
This might actually end up being ideal, as instead of having to manage
both
a group and all the respective entries in the department. When an entry
is
added/deleted I won't have to add/delete a member from the access
control
group.
I added the "defaultaccess none" line to the slapd.conf as well which I
think might have been at the root of some of the problems I was having
distinguishing anonymous login permissions from authenitcated user
permissions.
I'm still open to suggestions if maybe I'm still not seeing the entire
picture.
Thanks.
Access Control Shit
slapd.conf excerpt
-------------
defaultaccess none
access to attr=objectclass
by * read
access to attr=userpassword
by self write by * compare
access to dn=".*,o=Mail.com,o=Root,c=US"
by dn=".*,ou=Mail Transfer,o=Mail.com,o=Root,c=US"
read
by * none
access to * by * read