[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL



Fabrice Nouet wrote:

> With your recommandations I tried something else....
> really strange
>
> I have now only one line which is:
>
> access to dn=".*ou=User,o=Right vision" attr=userpassword
>            by dn="cn=Thierry,ou=Admin,o=Right Vision" read
>            by dn="cn=Fabrice,ou=Admin,o=Right Vision" write
>            by * none

If it is the only line, and if default access is none, then no access is given
to the entries under "ou=User,o=Right Vision" except for the password.

>
> I am waiting for the following result:
> - Fabrice has access to write and read all entries below ou=User,o=Right
> Vision

No, here, Fabrice just have write access to userpassword attribute

> - Thierry can read all entries below ou=User,o=Right Vision

No, Thierry can read all userpasswords under "ou=User,o=Right Vision"

> - The other users read all entries below ou=User,o=Right Vision but not the
> userpassword attribut below

They don't have access to the userpassword but for the access to the entries it
depends of the default right access rule

> but when I run the command
>
> ldapsearch  -D "cn=Thierry,ou=Admin,o=Right Vision" -w password -b "o=Right
> Vision" "objectclass=*"
>
> I see all entries in my base and not entries below ou=users,...

Of course, Thierry can only read user password and not the entries.

> same comportment for Fabrice

same problem.

> with eric I can see all entries without the userpassword attribut

So, the default access rule must be "defaultaccess read"

>
> It is the same thing when I put a comma like this
>
> access to dn=".*,ou=User,o=Right vision" attr=userpassword  ....
>
> Now if I try to add :
>
> defaultaccess none
>
> no entry displayed for all users .....

Because your rules manages access to userpassword attribut and not to the
entries.

Try this :

access to dn=".*,ou=User,o=Right Vision" attr=userpassword
           by dn="cn=Thierry,ou=Admin,o=Right Vision" read
           by dn="cn=Fabrice,ou=Admin,o=Right Vision" write
           by * none

access to dn=".*,ou=User,o=Right Vision"
           by dn="cn=Thierry,ou=Admin,o=Right Vision" read
           by dn="cn=Fabrice,ou=Admin,o=Right Vision" write
           by * read

Perhaps it's not exact, so if one can help me... thanks.

Manu.