[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL to create a CRUD to OpenLDAP
- To: Zdenek Styblik <stybla@turnovfree.net>
- Subject: Re: ACL to create a CRUD to OpenLDAP
- From: MrBiTs <mrbits.dcf@gmail.com>
- Date: Wed, 07 Jul 2010 11:36:21 -0300
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=5pkzzw2yLqaem+S/6nFvyhTmwWfUt5xBcati5n6bvJw=; b=hJ7PHN4HkmAPz/Vbanfdw0d6zWbrjMbitk0hrB+RaIVpnSf39Eo7XCQid5blzpv+df m1jPj7BhXHfPUHyiL7ZiqC65hWsC/o0Oa1YPkC2ZQwOTC6Ap9xtMu9M2deUoXrRgIsrZ 1j5imFurrdCs4TXhlTESBRv+kn9kvGB0k0nLc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=s2ijTmpPQt+M/8vYRPBN/quGp5fKr4pLR6TkBs+Yzbg6SJ/XeftqaubyAcuKr4Z0+2 a/2o8s1BCaOOxtMp4Lo2+nge/jCFGCJcUgGNTXTwl1ACPY1DD9G2+5B5+hpZGSRMzqhM 2PnHh1mDA+Tnz3PMUbmG7igC6QkgPCkj04un0=
- In-reply-to: <4C348B1F.7000001@turnovfree.net>
- Openpgp: id=2B3CA5AB
- References: <4C3481CE.4030305@gmail.com> <4C348B1F.7000001@turnovfree.net>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Lightning/1.0b1 Thunderbird/3.0.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Couldn't it be because you disallow access preceding this particular ACL?
> ACLs are read rule-by-rule thus they're are position dependent in slapd.conf
> I also don't use 'exact' but just 'dn'. If that's (some sort of) a
> mistake, please, feel free to correct me :)
Hi, Zdenek
Thanks for the reply. Makes sense, and it was my bad not to post all my rules.
So, my slapd.conf is like that:
access to attrs=userPassword,shadowLastChange
by anonymous auth
by dn.exact="cn=Admin,dc=domain,dc=org" write
by self read
by self write
by * read
access to dn.subtree="ou=FTPUsers,dc=domain,dc=org"
by dn.exact="cn=Admin,dc=domain,dc=org" write
by dn.exact="uid=crud,ou=Applications,dc=domain,dc=org" write
by self write
by * read
access to *
by dn.exact="cn=Admin,dc=domain,dc=org" write
by self write
by * read
Do you (or somebody) thinks that that by * read before FTPUsers rule can "kill" the uid=crud write ACL ?
I never used just 'dn', but I don't think this is an error. I will test some rule orders and dn without exact as soon as I finish
the meeting I am in and I'll post my results.
CheerS
- --
.0. MrBiTs - mrbits.dcf@gmail.com
..0 GnuPG - http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6EC818FC2B3CA5AB
000 http://www.mrbits.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJMNJDiAAoJEG7IGPwrPKWraAUIALNvJP4YDS1gFa9W6SnVEvye
u/lKBIUpKWddqC9fzRssmhp8hBpqHfmxDBn7ReAnxfT0eFhrHT+T/83kVAkKh0Oz
jaeVbNApOMyAq1Rv6iceVbu+eCwCIFkos2udbLfeBBhiwbxueghNNRlgPH2ieV96
T0Yknos6eCAjPdgVi4QAaKkh8sflo20H+2HxNFwgDEmVv8gEMO8RVEjWV/uU8yVc
tYpQfIm/AYT3GH37/ZEVdC4UDRKXqJBCJEXIp2bBP2pWn85zIlB57zfq6jUp0gvZ
6LNeqPv9KaYnDCs+83d/74VrXDPVyhIhT8bnDffCJ37IXzxuQusS+hGy7oz3w+c=
=Nfxx
-----END PGP SIGNATURE-----