[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control

To: Matty <mattyml@bellsouth.net>
Subject: Re: Access Control
From: eculp@encontacto.net
Date: Fri, 27 Dec 2002 19:20:19 -0800
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <1041044379.3839.2.camel@pooh>
References: <1041042438.3058.23.camel@pooh> <1041044379.3839.2.camel@pooh>
User-agent: Internet Messaging Program (IMP) 4.0-cvs

Quoting Matty <mattyml@bellsouth.net>:

 | I just got this to work (FINALLY!!). I added:
 | 
 | access to attrs=userpassword
 |         by * auth
You might want it more like:

access  to      attribute=userPassword
        by      self    write
        by      anonymous       auth
        by      *       none

 | 
 | to the top of my access declarations. Anyone know why this is required?

It isn't for the ldapsearch that you were asking about.  But as I mentioned
in my previous email, a password was required based on your acl.

ed

 | 
 | Thanks,
 | Ryan
 | 
 | On Fri, 2002-12-27 at 21:27, Matty wrote:
 | > Howdy folks,
 | >
 | > I have been mucking with Access Control for the past day and 1/2, and
 | > cannot seem to get a cn to authenticate. I created several
 | > contact objects, and a cn named email [1] which I want to allow
 | > read/write access to a specific branch of my DIT. After reading through
 | > the docs on www.openldap.org, I thought:
 | >
 | > access to dn="ou=contacts,dc=dom,dc=com"
 | >         by  dn="cn=email,dc=dom,dc=com"  write
 | >
 | > would allow email to read/write to the contacts branch of the tree. When
 | > I run ldapsearch:
 | >
 | > $ ldapsearch -h ldap.dom.com -LL -D 'cn=email,dc=dom,dc=com' -b
 | > 'ou=contacts,dc=dom,dc=com' '(cn=*)'
 | >
 | > I get:
 | >
 | > Bind Password:
 | > ldap_simple_bind_s: Insufficient access
 | >
 | > Anyone happen to know what I am missing? I have experimented with
 | > various things I found on google, but so far, no luck :(
 | >
 | > Thanks for any insight,
 | > Ryan
 | >
 | > [1]
 | > dn: cn=email,dc=dom,dc=com
 | > objectClass: top
 | > objectClass: organizationalRole
 | > objectClass: simpleSecurityObject
 | > cn: email
 | > description: User allowed to update the contacts tree
 | > userPassword: (MD5)94cc0f2c4100623b4efc85a534b7cd2a
 | --
 | Ryan Matteson - UNIX Administrator
 | GPG ID: 1B52A210 2002-12-01 Ryan Matteson (Primary Key Pair)
 | <matty91@bellsouth.net>
 | Public Key: http://www.daemons.net/~matty/public.asc
 | Detached Digital Signature: http://www.daemons.net/~matty/public.sig.asc
 | Fingerprint = A0B1 298E 29C4 3F26 01D5  EDFC 3D62 281F 1B52 A210
 | 
 | 


-- 


-------------------------------------------------

References:
- Access Control
  - From: Matty <mattyml@bellsouth.net>
- Re: Access Control
  - From: Matty <mattyml@bellsouth.net>

Prev by Date: Re: Access Control
Next by Date: Re: Access Control
Index(es):
- Chronological
- Thread