[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Headaches
* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050922 23:09]:
> Ok,
>
> My slapd.access file now looks like:
>
> #########
> olcAccess: to dn.base=""
> by dn="cn=ldapadmin,dc=qm" write
> by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
> by dn.exact="uid=silasb,ou=people,dc=qm" write
> by self write
> by * read
>
> olcAccess: to *
> by dn="cn=ldapadmin,dc=qm" write
> by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write
> by dn.exact="uid=silasb,ou=people,dc=qm" write
> by * read
> #########
Is this exactly how your ACLs looks like? In "man slapd.conf" I
cannot find a olcAccess-Statement.
Your ACLs should be something like that:
SNIP-->
# Writing to the RootDSE is impossible (AFAIK), but everybody should be able
# to read the information there
access to dn.base=""
by * read
# Everybody should be able to read the schema on the server
access to dn.base="cn=Subschema"
by * read
# Access to back monitor (backend monitor must be enabled for this)
# only a privileged user should read this
accest to dn.subtree="cn=Monitor"
by dn.exact="dn_of_a_user_you_trust" read
# EnableÑ write-Access for the given dn
# rootdn is omitted, since it has implicit always
# maximal access
access to dn.subtree "dc=qm"
by dn.exact="uid=silasb,ou=people,dc=qm" write
by * read
<--SNAP
It should now work as expected. But I strongly recommend reading the
slapd.access Manpage.
--
Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309
E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
PGP-Fingerprint: 4BEF 23EA 02AE BACA 9918 31FF 285B 0426 0E1A B2FC
----------------- > encrypted E-Mail preferred <------------------------
- References:
- RE: ACL Headaches
- From: "Bennett, Silas \(GE Infrastructure\)" <Silas.Bennett@ge.com>