[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: adding access control for replication user



On Sun, 18 Apr 2004, Pierangelo Masarati wrote:
> > On Sun, 18 Apr 2004, Pierangelo Masarati wrote:
> >
> >> > Thanks that does make things work, I did in fact have something
> >> similar exept it was more like ...
> >> >
> >> > access to attrs=userPassword
> >> > by dn="<your replicator's DN>" write
> >> > by self write
> >> > by * auth
> >>
> >> Likely you added a last directive of the form
> >> access to *
> >>         by dn.exact="<your replicator's DN>" write
> >>
> >> This by default implies that anonymous users can't read "*".
> >>
> >> If your intention is that everything that's not explicitly
> >> protected by ACLs must be readable by all including anonymous,
> >> then add a last directive of the form
> >>
> >> access to *
> >>         by dn.exact="<your replicator's DN>" write
> >>         by * read
> >>
> > rats when I run ldapsearch -x it still will not work.
> >
> > Here is my acl
> > <snip>
> > access to dn="" by * read
> > access to *
> >        by self write
> >        by users read
> >        by anonymous auth
> >        by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
> >        by * read
> > </snip>
>
> ACL <who> clauses are tested in order; anonymous, besides being not
> required in your example, comes before *, so anonymous only gets auth
> permission. Note that auth permission is meaningful only for auth tokens,
> i.e. userpasswords, so there's no reason to give anybody auth permission
> to anything else.  Please stick with my initial example:
>
> access to attrs=userPassword
>         by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
>         by self write
>         by * auth
>
> access to *
>         by dn.exact="UID=REPLICATOR,OU=ADMINS,O=HOMETOWN" write
>         by * read
>
Thanks very much for your excellent help and making this clear to me. It
works perfectly now and I should be able to correctly expand my rules in
the future.