[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control



Quoting Matty <mattyml@bellsouth.net>:

 | I just got this to work (FINALLY!!). I added:
 | 
 | access to attrs=userpassword
 |         by * auth
You might want it more like:

access  to      attribute=userPassword
        by      self    write
        by      anonymous       auth
        by      *       none

 | 
 | to the top of my access declarations. Anyone know why this is required?

It isn't for the ldapsearch that you were asking about.  But as I mentioned
in my previous email, a password was required based on your acl.

ed

 | 
 | Thanks,
 | Ryan
 | 
 | On Fri, 2002-12-27 at 21:27, Matty wrote:
 | > Howdy folks,
 | >
 | > I have been mucking with Access Control for the past day and 1/2, and
 | > cannot seem to get a cn to authenticate. I created several
 | > contact objects, and a cn named email [1] which I want to allow
 | > read/write access to a specific branch of my DIT. After reading through
 | > the docs on www.openldap.org, I thought:
 | >
 | > access to dn="ou=contacts,dc=dom,dc=com"
 | >         by  dn="cn=email,dc=dom,dc=com"  write
 | >
 | > would allow email to read/write to the contacts branch of the tree. When
 | > I run ldapsearch:
 | >
 | > $ ldapsearch -h ldap.dom.com -LL -D 'cn=email,dc=dom,dc=com' -b
 | > 'ou=contacts,dc=dom,dc=com' '(cn=*)'
 | >
 | > I get:
 | >
 | > Bind Password:
 | > ldap_simple_bind_s: Insufficient access
 | >
 | > Anyone happen to know what I am missing? I have experimented with
 | > various things I found on google, but so far, no luck :(
 | >
 | > Thanks for any insight,
 | > Ryan
 | >
 | > [1]
 | > dn: cn=email,dc=dom,dc=com
 | > objectClass: top
 | > objectClass: organizationalRole
 | > objectClass: simpleSecurityObject
 | > cn: email
 | > description: User allowed to update the contacts tree
 | > userPassword: (MD5)94cc0f2c4100623b4efc85a534b7cd2a
 | --
 | Ryan Matteson - UNIX Administrator
 | GPG ID: 1B52A210 2002-12-01 Ryan Matteson (Primary Key Pair)
 | <matty91@bellsouth.net>
 | Public Key: http://www.daemons.net/~matty/public.asc
 | Detached Digital Signature: http://www.daemons.net/~matty/public.sig.asc
 | Fingerprint = A0B1 298E 29C4 3F26 01D5  EDFC 3D62 281F 1B52 A210
 | 
 | 


-- 


-------------------------------------------------