[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help on ACLs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
First of all, you need to move the 'access to attr=userPassword' to the top.
ACL's are evaluated from top to bottom, and the first one that matches will
take effect.
In your case, 'access to *' will match every entry and all attributes of every
entry (including userPassword) so the second rule will never be reached at
all.
> I have these in slapd.conf
>
> access to *
> by self write
> by users read
> by dn.base="cn=admin,dc=domain,dc=com" write
> by anonymous auth
>
> access to attr=userPassword
> by self write
> by dn.base="cn=admin,dc=domain,dc=com" write
Furthermore, you should move the 'by anonymous auth' from the first rule to
the second rule (and of course, then place the second rule to the top).
Authentication happens anonymous against the userPassword!
>
> I want to restrict access to userPassword for other users. Appreciate any
> help.
That will do the trick. No one can access the userPassword, except 'self' and
the admin, who both can write, and anonymous, who can auth.
access to attr=userPassword
by self write
by dn.base="cn=admin,dc=domain,dc=com" write
by anonymous auth
access to *
by self write
by users read
by dn.base="cn=admin,dc=domain,dc=com" write
That should do it. It's very good of you that you specified 'dn.base' and not
just 'dn' which defaults to 'dn.regex', since dn.regex will match ANY dn with
the string 'cn=admin,dc=domain,dc=com' in it
(so, also 'uid=user1,cn=admin,dc=domain,dc=com' !)
Hope that helps,
ace
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQFAAPQYy7boE8xtIjURAje3AJwNrhNBjta0sqtjBRSRZe2vI1PLVwCgojEC
b0jc5PtIzJCK5xeEDtu8h1c=
=+nms
-----END PGP SIGNATURE-----
- References:
- Help on ACLs
- From: "Chakravarthy Cuddapah" <cuddapah@cuddapahonline.net>