[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL problems



I have the following ACL in slapd.conf:


defaultaccess   none
 
# Allow the following fields to be seen by the world
access to attrs=mobile,mail,cn,sn,givenname,o,ou,title,uid,telephoneNumber
        by * read
 
# Allow the manager and user to change the user's password
access to attrs=userpassword
        by self write
        by dn="cn=Manager,dc=nowcom,dc=com" write
        by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
        by * search
#       by anonymous auth
 
# Allow clients to authenticate
access to
attrs=objectclass,uid,host,uidnumber,gidnumber,homedirectory,loginshell,gecos,desc       
by dn="cn=Manager,dc=nowcom,dc=com" write
        by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
        by * read

# HERE IS MY PROBLEM 
# Allow the ldap manager and ldap sysadmins to change all information
# BTW, I have also tried "access to *"
#access to dn="ou=People,dc=nowcom,dc=com"
#       by dn="cn=Manager,dc=nowcom,dc=com" write
#       by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
#       by * search
 
# Allow log information for slapd to use for internal use (This must be in
here to authenticaccess to attrs=entry
        by * read


When I leave the above "HERE IS MY PROBLEM" acl commented out, I can do an
anonymous ldapsearch and receive information back because of the "Allow the
following fields to be seen by the world" ACL.  If I uncomment the "HERE IS MY
PROBLEM" ACL, then I cannot get anything returned to my when I do an anonymous
ldapsearch.  I do know that the ACL is read in the first seen, first match
basis and I thought that everything is setup that way, but I could easily be
mistaken.  Can someone please take a look at this and let me know if there is
anything that I can do to be able to have LDAP administrators change all LDBM
information but still allow anonymous users to use ldapsearch for addressbook
information?
 
Thanks,
Joe

Joseph Hoot
System Administrator
http://www.networkpenguin.com
joe@networkpenguin.com