[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL

To: openldap-software@openldap.org
Subject: Re: ACL
From: Owen Marshall <omarshall@facilityone.com>
Date: Fri, 19 Mar 2010 13:25:02 -0400
In-reply-to: <4a73f9241003190454k66db1000j1d3f5960be9d916@mail.gmail.com>
Organization: FacilityONE
References: <4a73f9241003190454k66db1000j1d3f5960be9d916@mail.gmail.com>

On Fri, 2010-03-19 at 12:54 +0100, Carlo Pradissitto wrote: 
> access to * by * write 
> #access to dn.subtree="dc=<domain_1>,dc=<base>" by * write 
> #access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write

With no access stanza, OpenLDAP defaults to:

access to *
       by anonymous  read
       by *          none

As soon as you assign an access stanza, this default goes away.

As it stands, you are not giving Administrator1 any permission to bind.
Your access stanza doesn't mention anything under the administrative
section.

At the very least, you will need something like:
access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind

You *will* need to fine-tune this. ;-)

Some decent information on ACLs can be found at
http://www.zytrax.com/books/ldap/ch6/

Also, set debug level 128 to view ACL processing -- this will be
invaluable to you.

-- 
Owen Marshall
FacilityONE
omarshall@facilityone.com | (502) 805-2126

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: ACL
  - From: Carlo Pradissitto <carlopradissitto@gmail.com>

References:
- ACL
  - From: Carlo Pradissitto <carlopradissitto@gmail.com>

Prev by Date: Re: max open files
Next by Date: Re: ACL
Index(es):
- Chronological
- Thread