[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control by Organizational Unit?



What you suggested worked!!!!!

I removed:

 access to * by * read
 access to * by * search

and moved the:

 access to * by self write
           by dn.base="cn=ldap-admin,o=test.com"

after all the others.

Also, your point well taken about the man pages.  Time
to read them again as well as the rest of the docco
more carefully.

Thanks again to you and to others who had suggestions.
 I hope I don;t have to ask for much more help.

HeatherL


--- Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
wrote:
> Heather Lockridge writes:
> > I am having a problem.. I can read, but not write
> to
> > the ldap db.
> 
> > access to * by * read
> > access to * by * search
> > access to *
> >             by self write
> >             by dn.base="cn=ldap-admin,o=test.com"
> > write
> >             by * none
> 
> Only the first matching "access to" is used.  So
> since "access to *"
> matches everything, everyone just gets read access
> to everything.
> Similarly, when the server has determined which
> "access" statement to
> use, the first matching "by" is used.  You can
> override this with the
> <control> field explained in 'man slapd.access', but
> I have never needed
> it.
> 
> Also, "read" access implies "search" access.  From
> 'man slapd.access':
>   The possible levels are none, auth, compare,
> search, read, and write.
>   Each access level implies all the preceding ones
> 
> So try
> 
>   access to * by self write
>               by dn.base="cn=ldap-admin,o=test.com"
> write
>               by * read
> 
> _after_ all the other access statements.  Except I
> don't see who and
> what you wanted to give "none" access to, since you
> give "read" and
> "none" access to the same <what> and the same <who>.
> 
> -- 
> Hallvard



	
		
__________________________________
Do you Yahoo!?
Yahoo! Domains ­ Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer