[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's & slapd





--On Monday, October 07, 2002 8:58 PM +0200 Peter Marschall <peter.marschall@mayn.de> wrote:

Hi,

On Monday 07 October 2002 19:12, you wrote:
After reading slapd.access several times, I'm completely lost on how I
could do something that seems quite simple, but in practice is not
working at all, especially when SASL is added in:

If I have:

access to dn=""
	by * read

access to attrs=suKrb5Name
	by * search

access to *
	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read

I can't see suKrb5Name in the output when I do an ldapsearch.  Note that
I'm doing SASL authentication, so it needs search on suKrb5Name to do the
saslregexp to authenticate me.  If I do

access to attrs=suKrb5Name
	by * search break

It then overwrites the access with the by dn="suRegID=...." read, and
then can no longer authenticate me.  Shouldn't there be some way to make
access to * truly be access to everything, regardless of the preceeding
acl's?

I have not tested it in this special case, but have you tried grouping more than one "by clause" into the access statements ?

IIRC, the following lines should do the trick

access to dn=""
	by * read

access to attrs=suKrb5Name
	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read
	by * search

access to *
	by dn="suRegID=<my regid>, cn=people,dc=stanford,dc=edu" read

Peter,

damn, that makes too much sense.  :P I knew it had to be simple.

Thanks!

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html