[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf - acl question

To: openldap-software@OpenLDAP.org
Subject: Re: slapd.conf - acl question
From: Matt Richard <matt.richard@fandm.edu>
Date: Mon, 15 Sep 2003 16:18:39 -0400

Hi,

Hi,

We are on 2.1.22 and I appear to have an acl problem. I have one access
line (for test purposes) in my slapd.conf file with one db (bdb):

access to attr=sn
	by * read

When you do this, you don't have access to anything but attr=sn. So you can't see any attributes like uid=douglas or anything else in the directory. For every ACL you write, there's an invisible "access to * by * none" at the end, so if there's no match anywhere in the ACL, you don't have any access.

I just did another test. In slapd.conf I have:

access to *
	by * read

access to *
	by * none

ACL's work by a first match and out. Once a match is made, we leave the ACL, and no other analysis is done. In this case, you are allowing read-only access to everything, so the second line will never be reached no matter what you place there.


I would think this would turn everything on then everything off, yet
when I do a ldapsearch, I can see ALL attributes of who I look at.
If I try it with no access line, then the default takes over that gives
read access to anonymous.

My main question is the one at the beginning, why if I have one access
line of:

access to attr=sn by * read

not appear not to work?

Thanks!
Cheers,
Douglas

This link might be helpful to you - I've found it helpful.
http://www.openldap.org/faq/data/cache/189.html

-Matt

--
Matt Richard
Access and Security Coordinator
Franklin & Marshall College
matt.richard@fandm.edu

Prev by Date: Openldap + Solaris + Linux automounter
Next by Date: Re: Schema generator
Index(es):
- Chronological
- Thread