[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL needed write privilege to all subtree of "dc=exadel,dc=com"



Andrei Valoshyn wrote:
> Currently I have ACL in my slapd.conf file:
> 
> access to attrs=userPassword,userPKCS12
> by self write
> by * auth
> [..]
> I need write privilege for my group. I made some changes:
> [..]
> After that users from LDAP_admins group can edit all. But our Password Change
> System, where users can change their passwords stopping work properly because
> users can't login.

Disclaimer: I won't analyse your e-mails in detail.

Most likely the "by * auth" in the first ACL is not reached anymore.

Things to consider when writing ACLs:

1. Order is significant

2. Each ACL ends with an implicit <who> clause "by * none" => processing stops
if not explicitly passed on with "break".

Ciao, Michael.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature