[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control after upgrade



( DB MOCKUP )
dc=local,dc=net
 |
ou=accounts
 |	|
 |	|
 |	ou=corporate
 |
ou=subscriber
( /DB MOCKUP )

-----------------------
These controls worked perfectly in 2.0.22:

access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
        by dn="cn=corpuser,dc=local,dc=net" write
        by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
        by dn="cn=subuser,dc=local,dc=net" write
        by anonymous read
access to *
        by dn="cn=Manager,dc=local,dc=net" write
        by self write
        by anonymous read

In this way, I could have an admin that could manage the corporate entries, and a seperate admin to manage the subscriber entries.

In 2.3.11, 'cn=corpuser,dc=local,dc=net' can only read itself and can't update anything under "ou=corporate,ou=accounts,dc=local,dc=net" I've tried varying degrees of dn.subtree and dn.exact etc.

The only difference between the old config and the new one is this:

access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
        by dn="cn=corpuser,dc=local,dc=net" write
        by anonymous read
access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
        by dn="cn=subuser,dc=local,dc=net" write
        by anonymous read
access to *
        by dn="cn=Syncuser,dc=local,dc=net" read

The Manager line in the old config was admittedly unnecessary, but I put Syncuser in its place for synrepl replication ( which is working great! ). Is this Syncuser overrunning the permissions of the two subtree managers?

I've read slapd.access a fair bit and it seems everythings geared toward reading attributes of a one OU directory.

--
Aaron Thoreson
aaront@midco.net