[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL's & slapd



Okie,

After reading slapd.access several times, I'm completely lost on how I could do something that seems quite simple, but in practice is not working at all, especially when SASL is added in:

If I have:

access to dn=""
	by * read

access to attrs=suKrb5Name
	by * search

access to *
	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read

I can't see suKrb5Name in the output when I do an ldapsearch. Note that I'm doing SASL authentication, so it needs search on suKrb5Name to do the saslregexp to authenticate me. If I do

access to attrs=suKrb5Name
	by * search break

It then overwrites the access with the by dn="suRegID=...." read, and then can no longer authenticate me. Shouldn't there be some way to make access to * truly be access to everything, regardless of the preceeding acl's?

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html