access to
attr=userPassword,sn
// specifically to attributes userPassword and sn(Surname) or Last Name in
Microsoft Outlook
by dn="cn=Manager, o=sunrise.com" write
// allows the Manager or the rootdn to write into these attributes
by self
write
// allows authenticated users to write its own attributes
by *
auth
// allows anonymous and authenticated users to be authenticated only; all able
to contact to server through
// authentication but the access to the attributes depend the above access rights access to
*
// all entries and attributes (left cn and mail attributes only in entry.ldif)
except userPassword and sn attributes
by dn="cn=Manager, o=sunrise.com" write //
allows the Manager or the rootdn to write into these attributes
by dn=".*, o=sunrise.com"
read
// allows specific users to read into entries and attributes(cn and mail
attributes only as in entry.ldif)
by self
write
// allows authenticated users to write its own entry and attributes(cn and mail
attributes only as in entry.ldif)
by users
read
// allows all authenticated users to read entries and attributes(cn and mail
attributes only as in entry.ldif)
by anonymous
read
// allows anonymous to read entries and attributes(cn and mail attributes only
as in entry.ldif)
by *
auth
// allows anonymous and authenticated users to be authenticated only; all able
to contact to server through
// authentication but the access to the attributes depend the above access rights
_o _\<_ __(_)/(_) life's a journey not a destination.... ----- Original Message -----
From: "Matty" <mattyml@bellsouth.net>
Sent: Saturday, December 28, 2002 8:29 AM
Subject: Re: Access Control > > access to attrs=userpassword > by * auth > > to the top of my access declarations. Anyone know why this is required? > > Thanks, > Ryan > > On Fri, 2002-12-27 at 21:27, Matty wrote: > > Howdy folks, > > > > I have been mucking with Access Control for the past day and 1/2, and > > cannot seem to get a cn to authenticate. I created several > > contact objects, and a cn named email [1] which I want to allow > > read/write access to a specific branch of my DIT. After reading through > > the docs on www.openldap.org, I thought: > > > > access to dn="ou=contacts,dc=dom,dc=com" > > by dn="cn=email,dc=dom,dc=com" write > > > > would allow email to read/write to the contacts branch of the tree. When > > I run ldapsearch: > > > > $ ldapsearch -h ldap.dom.com -LL -D 'cn=email,dc=dom,dc=com' -b > > 'ou=contacts,dc=dom,dc=com' '(cn=*)' > > > > I get: > > > > Bind Password: > > ldap_simple_bind_s: Insufficient access > > > > Anyone happen to know what I am missing? I have experimented with > > various things I found on google, but so far, no luck :( > > > > Thanks for any insight, > > Ryan > > > > [1] > > dn: cn=email,dc=dom,dc=com > > objectClass: top > > objectClass: organizationalRole > > objectClass: simpleSecurityObject > > cn: email > > description: User allowed to update the contacts tree > > userPassword: (MD5)94cc0f2c4100623b4efc85a534b7cd2a > -- > Ryan Matteson - UNIX Administrator > GPG ID: 1B52A210 2002-12-01 Ryan Matteson (Primary Key Pair) > <matty91@bellsouth.net> > Public Key: http://www.daemons.net/~matty/public.asc > Detached Digital Signature: http://www.daemons.net/~matty/public.sig.asc > Fingerprint = A0B1 298E 29C4 3F26 01D5 EDFC 3D62 281F 1B52 A210 > > |