[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL not doing what I think it should

To: openldap-software@OpenLDAP.org
Subject: ACL not doing what I think it should
From: Todd Lyons <todd@mrball.net>
Date: Wed, 6 Jun 2001 21:51:55 -0700
Content-disposition: inline
User-agent: Mutt/1.2.5i

I was in the process of writing this and the damn thing started working
the way I expected.  I can't explain it.  I'm in shock.  I was about to
quote debug output of ACLs and ask why it was always defaulting to the 
"by * auth" line when I was explicity binding with one of the dn entries
in the ACL.  Now it works.  Maybe part of the problem was the missing
index.  I will experiment with that.

You can safely ignore the rest of the message, but I sent it just so
that you can see what I was about to ask.  Like Bartles says, thank you
for your support.

Blue skies...		Todd

-------------->
The same openldap2/qmail/courierimap system I've been working to
configure and understand.  With the help of a kind soul, I've got the
missing index file figured out (seems like it should have been obvious,
but it wasn't until I thought a few more times about what Kurt said with
the "if a value doesn't exist for an attribute" statement).

Now, explain what's happening with this ACL.  Here's the ACL:
access to attr=userPassword
        by dn="cn=Manager,dc=mrball,dc=net" write
        by dn="cn=courier,dc=mrball,dc=net" read
        by dn="cn=qmail,dc=mrball,dc=net" read
        by self read
        by * auth
access to *
        by dn="cn=Manager,dc=mrball,dc=net" write
        by dn="cn=courier,dc=mrball,dc=net" read
        by dn="cn=qmail,dc=mrball,dc=net" read
        by self read

Manager is defined in slapd.conf, courier and qmail are two accounts
that I added in manually and passworded (those two accounts have
objectclass person used to define them.
....
Hmmmm, as I look at it, that very well could be the problem.  I'll retry
it by creating an ou=admin,dc=mrball,dc=net with the same objectclasses as
my working email accounts, then define cn=qmail,ou=admin,dc=... and the
same for courier and see if it works the way I expect it to (after
modifying the ACLs of course)
-- 
Blue skies...		Todd
| Get a bigger hammer!   |  Are you feeling lucky...punk?         |
| http://www.mrball.net  |  I've had better days...               |
| http://faq.mrball.net  |  It's the end of the world as we know i|

Prev by Date: Re: Deleting index files on boot
Next by Date: newbie ldap question
Index(es):
- Chronological
- Thread