[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Apologies - ACL question



At 11:55 AM 6/15/00 -0400, Michael Thomas wrote:
> => access_allowed: exit (mail=mike@foo.com, ou=Employees, dc=foo,
>dc=com) attr (entry)
>acl: access to entry not allowed

You did not grant access to the entry psuedo attribute.
You likely should make the following changes:

>
>
>defaultaccess  none
>
>access to attr=userPassword
> by self write
> by dn="cn=Administrator,dc=foo,dc=com" write
> by dn="^$$" compare
> by * none

not sure why you grant anonymous uses the right to
compare userPassword values.  Seems quite inappropriate
(and not needed for authentication).

>access to attr=mail
> by dn=".*,ou=Employees,dc=foo,dc=com" write
> by dn="^$$" search
> by * none

You grant anonymous ability to search by mail and
uid, but not permission to read mail and uid.
Read is need if you desire to have these values
returned.

>access to attr=uid
> by self write
> by dn="cn=Administrator,dc=foo,dc=com" write
> by dn=".*,ou=Employees,dc=foo,dc=com" read
> by dn="^$$" search
> by * none

access to attr=entry
  by self write
  by dn="cn=Administrator,dc=foo,dc=com" write
  by dn=".*,ou=Employees,dc=foo,dc=com" write
  by dn="^$$" read
  by * none

>access to *
> by dn=".*,ou=Employees,dc=foo,dc=com" write
> by * none

This give users under ou=employees the right to
write anything (excepting those items above
where less rights were granted).