[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question

To: Tim Gustafson <tjg@soe.ucsc.edu>
Subject: Re: ACL Question
From: Jonathan Clarke <jclarke@linagora.com>
Date: Thu, 05 Feb 2009 12:26:42 +0100
Cc: openldap-software@openldap.org
In-reply-to: <838443550.365331233765546125.JavaMail.root@mail-01.cse.ucsc.edu>
References: <838443550.365331233765546125.JavaMail.root@mail-01.cse.ucsc.edu>
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

Tim Gustafson wrote:

Similarly, other ACLs after this one may grant access to cn=log. Your current ACL only grants read access to the group ldap-admins. It doesn't specify rights for other users. Explicitly deny access to others like this
I tried that as well and got the same result.  Also, the man page
says that each "access to" stanza is implicitly terminated by a "by *
none", so specifying this seems to be unnecessary.


Absolutely. My bad.

A few things you could check here: 1) If this ACL is in the global context, per-database ACLs will precede it. They may be giving read access. 2) Run with loglevel ACL. The log will detail ACL evaluation, and you'll see exactly which ACL grants access.

Jonathan

Follow-Ups:
- Re: ACL Question
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

References:
- Re: ACL Question
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

Prev by Date: Re[2]: 2.4.13 slapacl strange behavior
Next by Date: Re: Re[2]: 2.4.13 slapacl strange behavior
Index(es):
- Chronological
- Thread