[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: trouble with access control
Am Dienstag, 18. April 2006 02:43 schrieb Kurt D. Zeilenga:
> At 12:27 AM 4/17/2006, Dr. Harry Knitter wrote:
> >Am Donnerstag, 13. April 2006 17:13 schrieb Lise Didillon:
> >> At 08:39 13/04/06 +0200, Dr. Harry Knitter wrote:
> >> >Hello,
> >> >
> >> >I am new with Openldap and with this list, too.
> >> >
> >> >My problem is as follows:
> >> >
> >> >I have set up an openldap server with simple bind.
> >> >
> >> >Everything works fine when using rootdn to acess my data.
> >> >There are several addressbooks in different dns.
> >> >
> >> >My access controls are:
> >> >access to *
> >> > by * read
> >> >
> >> >access to dn.subtree="dc=mydoamin,dc=tld"
> >> > by dn="uid=harry,cn=users,ou=ldapconfig,dc=mydomain,dc=tld"
write
> >> > by * none
> >>
> >> write instead:
> >>
> >> access to dn.subtree="dc=mydoamin,dc=tld"
> >> by dn="uid=harry,cn=users,ou=ldapconfig,dc=mydomain,dc=tld"
write
> >> by * none
> >>
> >> access to *
> >> by * read
> >>
> >> because slapd finds and stops at the first rule that matches the entry,
> >>
> >
> >
> >When I do this I get no access at all.
>
> Ignoring the differences in second level RDNs of your DNs
> is merely a typo in your messages (but not in your configuration),
> it appears you didn't grant "auth" permission necessary for
> anonymous users to access userPassword values (in the subtree)
> for the purposes of simple bind authentication. That is,
> "by anonymous auth" might be more appropriate than the
> (redundant) "by * none". See slapd.access(5) and the Admin
> Guide for details.
>
> - Kurt
>
have tried it and it works.
Thanks fo help
Harry