Re: ldapsearch returns one entry

[Pierangelo Masarati <ando@sys-net.it>]

Stephen Walton wrote:

> Quanah Gibson-Mount wrote:
>
>  
>
> > Well, I will note that there were changes to some of the settings in
> > slapd.conf between 2.1 and 2.2 and also there were changes to how
> > ACL's were formed
> >    
>
> Thanks for the hint.  I went to "OpenLDAP Everywhere Revisited" in the
> July 2005 Linux Journal and copied the access controls from there:
>
> access to attrs=userPassword
>      by dn="cn=Manager,dc=foo,dc=com" write
>      by self write
>      by anonymous auth
>      by * none
> # All other attributes are readable to everybody
> access to *
>      by self write
>      by dn="cn=Manager,dc=foo,dc=com" write
>      by * read
>
>
> and all is now well.  The key thing seems to be that one needs an
> explicit "access to * by * read" at OpenLDAP 2.2.  Thanks again for the
> quick help!
>  
As clearly stated nearly everywhere in OpenLDAP documentation (man 
pages, admin guide, FAQ, example slapd.conf that ships with the code) 
those ACLs are exactly equivalent to

access to attrs=userPassword
     by self write
     by anonymous auth
access to *
     by self write
     by * read

The rest is redundant, source of confusion and introduces unnecessary 
performance penalties.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497