[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule: getting crazy with it.



Hi Michael,

Thanks for your support. I also realize my misunderstanding, but it was not enough.

What really did the trick was to disable the "pooled bind" and "pooled search" on the CAS side (deployerConfigContext.xml).

Today and tomorrow we will test the new configuration.

Fingers crossed!

Simone

2015-08-20 0:52 GMT+02:00 Michael Ströder <michael@stroeder.com>:
Simone Taliercio wrote:
> access to *
>         by self write
>         by anonymous auth
>         by users search
>
> The only way to workaround that issue is removing any ACL or leaving "by users
> read".

Looking at the ACL above you likely run into a misunderstanding.

You should carefully read slapd.access(5). Especially the very important
section "THE ACCESS DIRECTIVE" describes significance of order of <what> and
<who> clauses and that the checking stops at the first matching <what> and
<who> clause (if control flow is not explicitly redirected).

Given the example above you might rather want this:

access to *
        by self write
        by users search
        by * auth

YMMV.

Also it's very handy to run slapd -d stats,acl [..other params..] to get ACL
debugging displayed on console.

Ciao, Michael.