On 04/09/2009 14:16, Tomasz Chmielewski wrote:
Jonathan Clarke wrote:
- You can enable loglevel acl in your configuration file and check
the logs to see which rules are being used.
I hope this helps. If you have further questions, don't hesitate to post back here with your full set of ACLs, and information on the version of slapd you're using.
I think I have it working with changing this set of ACLs:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
to this:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to dn.subtree="ou=Users,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
Be careful - none of the "by" clauses after the 2nd ("by * read") will be read. The first matching clause wins, and "*" matches everyone.
access to dn.subtree="ou=Groups,dc=example,dc=com" by dn="uid=Operator,ou=Users,dc=example,dc=com" write by * read by self write by dn="uid=replica,ou=Users,dc=example,dc=com" write by anonymous auth by * none
access to * by dn="uid=replica,ou=Users,dc=example,dc=com" write by * read
And I think I should comment out "by anonymous auth" from the two entries I added...
auth is only meaningful on the userPassword attribute, which you already granted in your first ACL (well, except some implicit searches during bind, but this is a rare case).
Jonathan