[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with access control





--On Monday, March 08, 2004 6:02 PM +0100 Ottavio Campana <ottavio@campana.vi.it> wrote:

I'm trying to set up an address book with ldap. I want that one user (in
this case uid=bott,ou=Users,dc=campana,dc=vi,dc=it) can access the
address book with password and read and write it, while any other person
cannot give a look at the records.

I've tried this rule in slapd.conf:


access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it" by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" read by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write by * none

but it doesn't work, for if a run ldapsearch anonymously I can get all
the infos of the address book.

I will note that WRITE implies READ, so you can have just:

access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it"
         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write
         by * none



--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html