[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: phpldapadmin Config



On Tue, 2004-07-13 at 14:33, Quanah Gibson-Mount wrote:
> --On Tuesday, July 13, 2004 1:41 PM -0400 Josiah Ritchie 
> <jritchie@bible.edu> wrote:
> 
> > Tried those searches above and they didn't work so I went with
> > commenting out the ACLs and adding in "access to * by * write" and
> > things started working as expected.
> >
> > Now I need to rewrite my ACLs I guess. Here's what I have:
> > access to dn.base="" by * read
> > access to dn.base="cn=Subschema" by * read
> > access to *
> >         by self write
> >         by users read
> >         by anonymous auth
> > access to dn=".*,dc=cougarnet,dc=bible,dc=edu" attr="userPassword"
> >         by dn="cn=Manager,ou=people,dc=cougarnet,dc=bible,dc=edu" write
> >         by dn="cn=samba,ou=People,dc=cougarnet,dc=bible,dc=edu" write
> >         by self write
> >         by * auth
> >
> > Looks to me like "access to * by anonymous auth" and "access to dn="..."
> > attr="userPassword by * auth" should allow this, but obviously I'm
> > wrong.
> >
> > Thanks for helping me out with this. It's good to know that we now know
> > what the problem is and seems like it should be easy to fix with a bit
> > more knowledge on my part. Appreciate it.
> >
> > Does dn.base="" equate to dn=".*,dc=cougarnet,dc=bible,dc=edu"?
> 
> ACL's always stop at the first applicable stop, unless the ACL has a break 
> statement.
> 
> So your "access to *" ACL is where everything will stop, nothing past that 
> will be read.
> 
> If you add:
> 
> 	by * break
> 
> to it, you should start getting different results.
> 
> You may wish to read:
> 
> <http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl.html>

Thank you again for your help. I printed off the link you sent and am
confident that your suggestion will get things working as desired. Thank
you for your help.

JSR/