[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with access control



> Ottavio Campana <ottavio@campana.vi.it> 03/08/04 06:02pm >>>
>I'm trying to set up an address book with ldap. I want that one user
(in 
>this case uid=bott,ou=Users,dc=campana,dc=vi,dc=it) can access the 
>address book with password and read and write it, while any other
person 
>cannot give a look at the records.
>
>I've tried this rule in slapd.conf:
>
>
>access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it"
>         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" read
>         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write
>         by * none
>
>but it doesn't work, for if a run ldapsearch anonymously I can get all

>the infos of the address book.
>
>What's wrong with it?

Hi Ottavio,

What version of OpenLDAP are you using?

What is above this rule in slapd.conf? The _first_ rule that matches a
query makes the decision for access. For instance, if you have something
like:

access to dn.subtree="dc=campana,dc=vi,dc=it"
    by * read

above this entry, this one will never be seen.

Also, in this entry, uid=bott,ou=Users,dc=campana,dc=vi,dc=it will
never be able to write; he will have only read access because the "read"
 restriction line will satisfy slapd for access. The second line will
never be applied. "write" implies "read" also. Please read slapd.conf
(5), slapd.access (5) and the OpenLDAP administrators guide (again).

You might also (and more appropriately) try the umich general ldap list
for these kinds of general ldap questions.

Mike.