https://bugs.openldap.org/show_bug.cgi?id=9256
--- Comment #18 from Ondřej Kuzník ondra@mistotebe.net --- On Tue, Aug 31, 2021 at 10:32:52AM +0000, openldap-its@openldap.org wrote:
In the patch, the line: +attribute of the authorizing identity and/or on the ends with a space.
Moreover, https://www.openldap.org/doc/admin25/access-control.html#Basic%20ACLs states:
Thanks for taking time to review this, would you be also adapt the proposed patch with your suggestions and submit a MR?
Generally one should start with some basic ACLs such as:
access to attrs=userPassword by self =xw by anonymous auth by * none access to * by self write by users read by * nonePer https://bugs.openldap.org/show_bug.cgi?id=9657, for SIMPLE bind, anonymous needs auth access only to the userPassword attribute, but for SASL bind, anonymous needs access to the whole entry.
I propose removing "by * none", as it is implicit.
I my view, documentation should be explicit about defaults like this and suggest their use where appropriate.
I propose extending the patch, to state for this particular example, that the example is suitable for SIMPLE bind, and unsuitable for SASL bind. (well “access to attrs=userPassword by self =xz” shall still be preserved). Provide example that works with SASL bind, e.g.
access to attrs=userPassword by self =xw access to * by anonymous auth by self write by users read(without by * none, since it is explicit).
Thanks,