[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd access control problems



Alex Samad wrote:
On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
access to * by * none

Think what you need here is

access to *
by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
by * break


access to attrs=userPassword
	by anonymous auth
	by self write
	by * none

access to *
	by * none

Yes, but sloppy. Don't use rules you don't need, and write rules that work with the natural order of processing:

 access to attrs=userPassword
	by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
 	by self write
	by anonymous auth

 access to *
 	by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write

I.e., don't throw in gratuitous "break" statements when you don't need to.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/