[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for userPassword problems



Actually the guide states: 'Access to the entry itself must be granted
or denied using the special attribute name "entry".' But there are ACL
examples that specify attributes without using the "entry" attribute,
for example this one:

    access to dn="(.*,)?dc=example,dc=com" attr=homePhone
        by self write
        .
        .
        .

Is the "entry" attribute necessary only when a dn regexp or filter has
not been provided to select the entries?  For example in this case:

    access to attr=member,entry
        by dnattr=member selfwrite

This is further confused by the example (on page 31 in my copy) that
defines the ldbm for example.com.  The access control definitions are
these:

    access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Admin,dc=example,dc=com" write
        by * none
    access to *
        by self write
        by dn="cn=Admin,dc=example,dc=com" write
        by * read

Note that the "entry" attribute is not specified with the userPassword
attribute.  Is this because the next ACL defines "access to *" (i.e.,
all entries)?

I think I get it, but in my opinion the guide is a bit confusing on this
subject.

On Fri, 15 Feb 2002, Thomas Hager wrote:

> according to the openldap admin guide, giving access to attributes with
> attrs="bla" is not enough. you have to define to which entries the
> access rule applies.
>
> try this acl:
>
> access to "dn=.*" attrs=userPassword
>      by self write
>      by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write
>      by anonymous auth
>      by * none
>
> tom.
>
> On Fri, 2002-02-15 at 00:28, Christine Robertson wrote:
> > Greetings all,
> > 	We are running OpenLDAP 2.0.19 (the port to FreeBSD), and
> > I seem to have broken by ACL for the userPassword attribute.  The
> > ACL is:
> > access to attrs=userPassword
> >     by self write
> >     by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write
> >     by anonymous auth
> >     by * none
> >
> > but I cannot see the attribute with ldapsearch binding either as
> > the entry itself or as the root DN.
> >
> > Any thoughts on why would be much appreciated.
> >
> > --Chris Robertson
> > Corinthian Engineering, Sydney, Australia
>