[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: phpldapadmin Config





--On Tuesday, July 13, 2004 1:41 PM -0400 Josiah Ritchie <jritchie@bible.edu> wrote:

Tried those searches above and they didn't work so I went with
commenting out the ACLs and adding in "access to * by * write" and
things started working as expected.

Now I need to rewrite my ACLs I guess. Here's what I have:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by self write
        by users read
        by anonymous auth
access to dn=".*,dc=cougarnet,dc=bible,dc=edu" attr="userPassword"
        by dn="cn=Manager,ou=people,dc=cougarnet,dc=bible,dc=edu" write
        by dn="cn=samba,ou=People,dc=cougarnet,dc=bible,dc=edu" write
        by self write
        by * auth

Looks to me like "access to * by anonymous auth" and "access to dn="..."
attr="userPassword by * auth" should allow this, but obviously I'm
wrong.

Thanks for helping me out with this. It's good to know that we now know
what the problem is and seems like it should be easy to fix with a bit
more knowledge on my part. Appreciate it.

Does dn.base="" equate to dn=".*,dc=cougarnet,dc=bible,dc=edu"?

ACL's always stop at the first applicable stop, unless the ACL has a break statement.


So your "access to *" ACL is where everything will stop, nothing past that will be read.

If you add:

	by * break

to it, you should start getting different results.

You may wish to read:

<http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl.html>

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html