[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proper ACL's?

To: "Brian" <brianb@sboss.com>, OpenLDAP-software@OpenLDAP.org
Subject: Re: Proper ACL's?
From: Thieu-Hon Tran <Thieu-Hon.Tran@westfleisch.de>
Date: Sat, 02 Aug 2003 13:20:13 +0200
In-reply-to: <40218.204.95.150.10.1059765372.squirrel@secure.sboss.net>

Am 01.08.2003, 21:16 Uhr schrieb Brian:
-----------------------------------
>I'm having what must be a really simple issue with ACL's in OpenLDAP and
>allowing users to authenticate with ssh.  If I have no ACL's, it works
>fine.  If I put in something like this:
>
>access to dn="" by * read
>access to attr=userpassword
>   by self write
>   by anonymous auth
>
>access to *
>    by self write
>    by users read
>
>Then users can't authenticate with ssh.

I don't know much about OpenLDAP, and almost nothing about ssh-
authentication with OpenLDAP, but: Are you aware that the
access directives are parsed from top to bottom, and that *only*
the *first* matching rule is applied?
(see: http://www.openldap.org/doc/admin21/slapdconfig.html#Access Control,
paragraph "5.3.4. Access Control Evaluation")

I can't say that I understand what
     access to dn="" by * read
means (haven't read all of the OpenLDAP admin guide), but maybe you should
try to change the order of the access directives?

Regards,
     Hon.

References:
- Proper ACL's?
  - From: "Brian" <brianb@sboss.com>

Prev by Date: Re: Digest-MD5 Using Cyrus SASL over TLS storing passwords in LDAP
Next by Date: Re: problems with OpenLDAP (Debian and FreeBSD)
Index(es):
- Chronological
- Thread