[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control lists

To: Jean-Eric Cuendet <Jean-Eric.Cuendet@linkvest.com>, "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Subject: Re: Access control lists
From: Stephan Siano <stephan.siano@suse.de>
Date: Wed, 28 Mar 2001 08:38:44 +0200
In-reply-to: <B45465FD9C23D21193E90000F8D0F3DF683AE1@mailsrv.linkvest.com>
References: <B45465FD9C23D21193E90000F8D0F3DF683AE1@mailsrv.linkvest.com>

Am Dienstag, 27. März 2001 18:15 schrieb Jean-Eric Cuendet:

> I need to issue the command
>   ldapmodify -x -D "uid=testjec,ou=People,dc=linkvest,dc=com" -f
> modify.ldif -r -w <passwd>
> Sometime it works (with VERY permissive ACLs) and other times it fails
> (with choosen ACLs)
> Details are below.

>
> When setting
>   access to * by * write
> it produces the following log output:
>      Available in attached ldap.log.writestar
>
> And it works!
>

>
> When setting:
>   access to * by dn="uid=testjec,ou=People,dc=linkvest,dc=com" write
> I have
>      Available in attached ldap.log.testjec
>
> And it fails!

Are these your only ACLs? You need at least anonymous auth access to the 
object you want to authenticate as with a simple bind, so the minimum ACLs 
for your querey to succeed are:

access to dn="uid=testjec,ou=People,dc=linkvest,dc=com"
	by anonymous +x stop
	by self +wrscx stop

access to * 
	by dn="uid=testjec,ou=People,dc=linkvest,dc=com" +wrscx stop


The order of these entrys is also important (if access to * comes first, the 
other ACL will never be reached.

Consult the admin guide for details.

Stephan Siano

-- 
Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn

References:
- RE: Access control lists
  - From: Jean-Eric Cuendet <Jean-Eric.Cuendet@linkvest.com>

Prev by Date: Re: Access control lists
Next by Date: ITS#1012
Index(es):
- Chronological
- Thread