[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problems
At 12:16 AM 10/3/00 +0000, Joseph Hoot wrote:
>I have the following ACL in slapd.conf:
>
>
>defaultaccess none
>
># Allow the following fields to be seen by the world
>access to attrs=mobile,mail,cn,sn,givenname,o,ou,title,uid,telephoneNumber
> by * read
>
># Allow the manager and user to change the user's password
>access to attrs=userpassword
> by self write
> by dn="cn=Manager,dc=nowcom,dc=com" write
> by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
> by * search
># by anonymous auth
>
># Allow clients to authenticate
>access to
>attrs=objectclass,uid,host,uidnumber,gidnumber,homedirectory,loginshell,gecos,desc
>by dn="cn=Manager,dc=nowcom,dc=com" write
> by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
> by * read
>
># HERE IS MY PROBLEM
># Allow the ldap manager and ldap sysadmins to change all information
># BTW, I have also tried "access to *"
>#access to dn="ou=People,dc=nowcom,dc=com"
># by dn="cn=Manager,dc=nowcom,dc=com" write
># by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
># by * search
>
># Allow log information for slapd to use for internal use (This must be in
>here to authenticaccess to attrs=entry
> by * read
>
>
>When I leave the above "HERE IS MY PROBLEM" acl commented out, I can do an
>anonymous ldapsearch and receive information back because of the "Allow the
>following fields to be seen by the world" ACL. If I uncomment the "HERE IS MY
>PROBLEM" ACL,
then the last ACL will only be reached if dn != "ou=People,dc=nowcom,dc=com".
>then I cannot get anything returned to my when I do an anonymous
>ldapsearch. I do know that the ACL is read in the first seen, first match
>basis and I thought that everything is setup that way, but I could easily be
>mistaken. Can someone please take a look at this and let me know if there is
>anything that I can do to be able to have LDAP administrators change all LDBM
>information but still allow anonymous users to use ldapsearch for addressbook
>information?
>
>Thanks,
>Joe
>
>Joseph Hoot
>System Administrator
>http://www.networkpenguin.com
>joe@networkpenguin.com