[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL problems
I have the following ACL in slapd.conf:
defaultaccess none
# Allow the following fields to be seen by the world
access to attrs=mobile,mail,cn,sn,givenname,o,ou,title,uid,telephoneNumber
by * read
# Allow the manager and user to change the user's password
access to attrs=userpassword
by self write
by dn="cn=Manager,dc=nowcom,dc=com" write
by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
by * search
# by anonymous auth
# Allow clients to authenticate
access to
attrs=objectclass,uid,host,uidnumber,gidnumber,homedirectory,loginshell,gecos,desc
by dn="cn=Manager,dc=nowcom,dc=com" write
by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
by * read
# HERE IS MY PROBLEM
# Allow the ldap manager and ldap sysadmins to change all information
# BTW, I have also tried "access to *"
#access to dn="ou=People,dc=nowcom,dc=com"
# by dn="cn=Manager,dc=nowcom,dc=com" write
# by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
# by * search
# Allow log information for slapd to use for internal use (This must be in
here to authenticaccess to attrs=entry
by * read
When I leave the above "HERE IS MY PROBLEM" acl commented out, I can do an
anonymous ldapsearch and receive information back because of the "Allow the
following fields to be seen by the world" ACL. If I uncomment the "HERE IS MY
PROBLEM" ACL, then I cannot get anything returned to my when I do an anonymous
ldapsearch. I do know that the ACL is read in the first seen, first match
basis and I thought that everything is setup that way, but I could easily be
mistaken. Can someone please take a look at this and let me know if there is
anything that I can do to be able to have LDAP administrators change all LDBM
information but still allow anonymous users to use ldapsearch for addressbook
information?
Thanks,
Joe
Joseph Hoot
System Administrator
http://www.networkpenguin.com
joe@networkpenguin.com