[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control by Organizational Unit?



Heather Lockridge writes:
> I am having a problem.. I can read, but not write to
> the ldap db.

> access to * by * read
> access to * by * search
> access to *
>             by self write
>             by dn.base="cn=ldap-admin,o=test.com"
> write
>             by * none

Only the first matching "access to" is used.  So since "access to *"
matches everything, everyone just gets read access to everything.
Similarly, when the server has determined which "access" statement to
use, the first matching "by" is used.  You can override this with the
<control> field explained in 'man slapd.access', but I have never needed
it.

Also, "read" access implies "search" access.  From 'man slapd.access':
  The possible levels are none, auth, compare, search, read, and write.
  Each access level implies all the preceding ones

So try

  access to * by self write
              by dn.base="cn=ldap-admin,o=test.com" write
              by * read

_after_ all the other access statements.  Except I don't see who and
what you wanted to give "none" access to, since you give "read" and
"none" access to the same <what> and the same <who>.

-- 
Hallvard