[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What am I doing wrong with these olcAccess settings?

To: openldap-technical@openldap.org
Subject: Re: What am I doing wrong with these olcAccess settings?
From: Dieter Klünter <dieter@dkluenter.de>
Date: Sun, 4 Sep 2016 17:49:48 +0200
In-reply-to: <CAAdiD2ZBQo4TcwDuPL=Gt=VuWHR9shdS+HuvW2E-G56iWgO_=A@mail.gmail.com>
Organization: AVCI
References: <CAAdiD2ZBQo4TcwDuPL=Gt=VuWHR9shdS+HuvW2E-G56iWgO_=A@mail.gmail.com>

Am Sat, 3 Sep 2016 15:09:39 +0200
schrieb A M <amm.priv2@gmail.com>:

> Hello,
> 
> I just need to allow a simple "bind" user to be able the perform the
> authenticated searches in the tree, while allowing all other users to
> consult their data without being able to modify them. So I have set
> the following primitive access rules:
> 
> ------------------------------
> olcAccess: {0}to attrs=userPassword
>  by self write
>  by dn.base="cn=Manager,dc=example,dc=com" write
>  by anonymous auth
>  by * none"
> 
> olcAccess: {1}to *
>  by self read
>  by dn.base="cn=Manager,dc=example,dc=com" write
>  by dn="uid=binduser,ou=Users,dc=example,dc=com" read
> -------------------------------
> 
> With these settings, I can in fact perform authenticated searches as
> dn="uid=binduser,ou=Users,dc=example,dc=com" with filter uid=username.
> But the weird thing is that all other non-privileged users cannot see
> their own data, although I have added "to * by self read"..
> 
> What am I missing? Thanks ahead for any comment!

Run slapd in debug mode with debuglevel 128 and check acl processsing.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- What am I doing wrong with these olcAccess settings?
  - From: A M <amm.priv2@gmail.com>

Prev by Date: Re: Change Defaulth ssha passoword encryption algorithm
Next by Date: Re: Authenticating Mac OSX (El Capitan) sign-ons to an OpenLDAP directory?
Index(es):
- Chronological
- Thread