Re: Slave/Replica server authentication/authorization question

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, February 26, 2004 9:47 AM -0600 "Aaron M. Hirsch" 
<Aaron.Hirsch@atosorigin.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ~From my understanding the following rules should allow for users to
> authenticate as themselves or anonymously:
>
> access to attrs=userPassword
> ~    by self write
> ~    by anonymous auth
>
> and the following allows anonymous queries of the database:
>
> access to *
> ~    by * read

I think you misunderstand what "auth" means.  I think you need "compare" 
for your anonymous line at a minimum, otherwise there is no access to the 
userpassword entry that the incoming connection can use to determine if the 
password supplied is correct or not.

Please see:

<http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control>

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html