[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: adding access control for replication user
> On Sun, 18 Apr 2004, Pierangelo Masarati wrote:
>
>> > Thanks that does make things work, I did in fact have something
>> similar exept it was more like ...
>> >
>> > access to attrs=userPassword
>> > by dn="<your replicator's DN>" write
>> > by self write
>> > by * auth
>>
>> Likely you added a last directive of the form
>> access to *
>> by dn.exact="<your replicator's DN>" write
>>
>> This by default implies that anonymous users can't read "*".
>>
>> If your intention is that everything that's not explicitly
>> protected by ACLs must be readable by all including anonymous,
>> then add a last directive of the form
>>
>> access to *
>> by dn.exact="<your replicator's DN>" write
>> by * read
>>
> rats when I run ldapsearch -x it still will not work.
>
> Here is my acl
> <snip>
> access to dn="" by * read
> access to *
> by self write
> by users read
> by anonymous auth
> by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
> by * read
> </snip>
ACL <who> clauses are tested in order; anonymous, besides being not
required in your example, comes before *, so anonymous only gets auth
permission. Note that auth permission is meaningful only for auth tokens,
i.e. userpasswords, so there's no reason to give anybody auth permission
to anything else. Please stick with my initial example:
access to attrs=userPassword
by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
by self write
by * auth
access to *
by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
by * read
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it