[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Help on ACLs



Title: Re: Help on ACLs
It works ! Thanks !


From: owner-openldap-software@OpenLDAP.org on behalf of Ace Suares
Sent: Sun 1/11/2004 2:16 AM
To: openldap-software@OpenLDAP.org
Subject: Re: Help on ACLs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

First of all, you need to move the 'access to attr=userPassword' to the top.

ACL's are evaluated from top to bottom, and the first one that matches will
take effect.

In your case, 'access to *' will match every entry and all attributes of every
entry (including userPassword) so the second rule will never be reached at
all.

> I have these in slapd.conf
>
> access to *
>         by self write
>         by users read
>         by dn.base="cn=admin,dc=domain,dc=com" write
>         by anonymous auth
>
> access to attr=userPassword
>         by self write
>         by dn.base="cn=admin,dc=domain,dc=com" write

Furthermore, you should move the 'by anonymous auth' from the first rule to
the second rule (and of course, then place the second rule to the top).

Authentication happens anonymous against the userPassword!

>
> I want to restrict access to userPassword for other users. Appreciate any
> help.

That will do the trick. No one can access the userPassword, except 'self' and
the admin, who both can write, and anonymous, who can auth.

access to attr=userPassword
        by self write
        by dn.base="cn=admin,dc=domain,dc=com" write
        by anonymous auth

access to *
         by self write
         by users read
         by dn.base="cn=admin,dc=domain,dc=com" write

That should do it. It's very good of you that you specified 'dn.base' and not
just 'dn' which defaults to 'dn.regex', since dn.regex will match ANY dn with
the string 'cn=admin,dc=domain,dc=com' in it
(so, also 'uid=user1,cn=admin,dc=domain,dc=com' !)

Hope that helps,
ace

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAAPQYy7boE8xtIjURAje3AJwNrhNBjta0sqtjBRSRZe2vI1PLVwCgojEC
b0jc5PtIzJCK5xeEDtu8h1c=
=+nms
-----END PGP SIGNATURE-----