Re: Write access error with GSSAPI on OpenLDAP 2.2.26

[Marty Heyman <mheyman@symas.com>]

John,

Please take a look at section 5.3.4 of the OpenLDAP Administrator's  
Guide ( http://www.openldap.org/doc/admin23/slapdconf2.html#Access% 
20Control ), "Access Control Evaluation". This material is not in the  
slapd.access(5) man page nor any of the other man pages it points to.

This says, "Slapd stops with the first <what> selector that matches  
the entry and/or attribute." which means it will stop when it finds  
the first of your list and if the <who> associated with that one  
doesn't fit the requester, it will apply the default. The other  
directives will never be evaluated. That's why Quanah's suggestion is  
correct.

This section is very helpful in understanding how to construct and  
order your access directives. Hope this helps.

--
Marty

On Jul 14, 2005, at 7:44 AM, Quanah Gibson-Mount wrote:

> --On Thursday, July 14, 2005 6:42 PM +0800 John Mok  
> <jmok@attglobal.net> wrote:
>
> access to *
>     by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write
> access to *
>     by dn="uid=john/admin,cn=GSSAPI,cn=auth" write
> access to *
>     by * read
>
> This should be one statement:
>
>
> access to *
>     by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write
>     by dn="uid=john/admin,cn=GSSAPI,cn=auth" write
>     by * read
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/Shared Services
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>
> "These censorship operations against schools and libraries are  
> stronger
> than ever in the present religio-political climate. They often  
> focus on
> fantasy and sf books, which foster that deadly enemy to bigotry and  
> blind
> faith, the imagination." -- Ursula K. Le Guin