[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule: getting crazy with it.

To: openldap-technical@openldap.org
Subject: Re: ACL rule: getting crazy with it.
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 20 Aug 2015 00:52:27 +0200
In-reply-to: <CANqXOajBhQv_gMzfB92wgFsi49sv6aNhdBD+LEU+WA=9v-=NhA@mail.gmail.com>
References: <CANqXOajBhQv_gMzfB92wgFsi49sv6aNhdBD+LEU+WA=9v-=NhA@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1

Simone Taliercio wrote:
> access to *
>         by self write
>         by anonymous auth
>         by users search
> 
> The only way to workaround that issue is removing any ACL or leaving "by users
> read".

Looking at the ACL above you likely run into a misunderstanding.

You should carefully read slapd.access(5). Especially the very important
section "THE ACCESS DIRECTIVE" describes significance of order of <what> and
<who> clauses and that the checking stops at the first matching <what> and
<who> clause (if control flow is not explicitly redirected).

Given the example above you might rather want this:

access to *
        by self write
        by users search
        by * auth

YMMV.

Also it's very handy to run slapd -d stats,acl [..other params..] to get ACL
debugging displayed on console.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: ACL rule: getting crazy with it.
  - From: Simone Taliercio <simonetaliercio@gmail.com>

References:
- ACL rule: getting crazy with it.
  - From: Simone Taliercio <simonetaliercio@gmail.com>

Prev by Date: RE: LDAP over SSL ( ldaps )
Next by Date: Re: ACL rule: getting crazy with it.
Index(es):
- Chronological
- Thread