[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problems



At 12:16 AM 10/3/00 +0000, Joseph Hoot wrote:
>I have the following ACL in slapd.conf:
>
>
>defaultaccess   none
> 
># Allow the following fields to be seen by the world
>access to attrs=mobile,mail,cn,sn,givenname,o,ou,title,uid,telephoneNumber
>        by * read
> 
># Allow the manager and user to change the user's password
>access to attrs=userpassword
>        by self write
>        by dn="cn=Manager,dc=nowcom,dc=com" write
>        by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
>        by * search
>#       by anonymous auth
> 
># Allow clients to authenticate
>access to
>attrs=objectclass,uid,host,uidnumber,gidnumber,homedirectory,loginshell,gecos,desc       
>by dn="cn=Manager,dc=nowcom,dc=com" write
>        by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
>        by * read
>
># HERE IS MY PROBLEM 
># Allow the ldap manager and ldap sysadmins to change all information
># BTW, I have also tried "access to *"
>#access to dn="ou=People,dc=nowcom,dc=com"
>#       by dn="cn=Manager,dc=nowcom,dc=com" write
>#       by group="cn=sysadmin,ou=Group,dc=nowcom,dc=com" write
>#       by * search
> 
># Allow log information for slapd to use for internal use (This must be in
>here to authenticaccess to attrs=entry
>        by * read
>
>
>When I leave the above "HERE IS MY PROBLEM" acl commented out, I can do an
>anonymous ldapsearch and receive information back because of the "Allow the
>following fields to be seen by the world" ACL. If I uncomment the "HERE IS MY
>PROBLEM" ACL,

then the last ACL will only be reached if dn != "ou=People,dc=nowcom,dc=com".

>then I cannot get anything returned to my when I do an anonymous
>ldapsearch.  I do know that the ACL is read in the first seen, first match
>basis and I thought that everything is setup that way, but I could easily be
>mistaken.  Can someone please take a look at this and let me know if there is
>anything that I can do to be able to have LDAP administrators change all LDBM
>information but still allow anonymous users to use ldapsearch for addressbook
>information?
> 
>Thanks,
>Joe
>
>Joseph Hoot
>System Administrator
>http://www.networkpenguin.com
>joe@networkpenguin.com