[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd access control problems



On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
> >I get problems with access control, however, that prevent it from working.
> 
> Yes...given
> >access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
> >access to * by * none

Think what you need here is

access to *
	by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
	by * break 

access to attrs=userPassword
	by anonymous auth
	by self write
	by * none

access to *
	by * none


the difference is the first wil give uid=slurp root like access to every think.
the by * break, say even thought you have match * if youhave gotten to this
line break out of this statement and continue processing.

The second one governs userPassword - give anon user the right to authenticate

and the bottom (last) default one says everything else by everyone else is none



> 
> >The problem is I cannot access the slave database with 
> >dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
> because you have no access for anonymous to auth to uid=slurp.
> 
> >slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b 
> >'dc=xxxxxxxxx,dc=xx' -d 255
> 
> Debugging on the client isn't going to be too informative here. Try "slapd 
> -d acl" perhaps.
> 

Attachment: signature.asc
Description: Digital signature