-----BEGIN PGP SIGNED MESSAGE-----
Hash:
SHA1
Hi,
First of all, you need to move the 'access to
attr=userPassword' to the top.
ACL's are evaluated from top to bottom,
and the first one that matches will
take effect.
In your case, 'access
to *' will match every entry and all attributes of every
entry (including
userPassword) so the second rule will never be reached at
all.
> I
have these in slapd.conf
>
> access to
*
> by self
write
> by users
read
> by
dn.base="cn=admin,dc=domain,dc=com"
write
> by anonymous
auth
>
> access to
attr=userPassword
> by
self write
> by
dn.base="cn=admin,dc=domain,dc=com" write
Furthermore, you should move
the 'by anonymous auth' from the first rule to
the second rule (and of
course, then place the second rule to the top).
Authentication happens
anonymous against the userPassword!
>
> I want to restrict
access to userPassword for other users. Appreciate any
> help.
That
will do the trick. No one can access the userPassword, except 'self' and
the
admin, who both can write, and anonymous, who can auth.
access to
attr=userPassword
by self
write
by
dn.base="cn=admin,dc=domain,dc=com"
write
by anonymous
auth
access to *
by
self write
by users
read
by
dn.base="cn=admin,dc=domain,dc=com" write
That should do it. It's very
good of you that you specified 'dn.base' and not
just 'dn' which defaults to
'dn.regex', since dn.regex will match ANY dn with
the string
'cn=admin,dc=domain,dc=com' in it
(so, also
'uid=user1,cn=admin,dc=domain,dc=com' !)
Hope that
helps,
ace
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE
(GNU/Linux)
iD8DBQFAAPQYy7boE8xtIjURAje3AJwNrhNBjta0sqtjBRSRZe2vI1PLVwCgojEC
b0jc5PtIzJCK5xeEDtu8h1c=
=+nms
-----END
PGP SIGNATURE-----