Tim Gustafson wrote:
Similarly, other ACLs after this one may grant access to cn=log. Your current ACL only grants read access to the group ldap-admins. It doesn't specify rights for other users. Explicitly deny access to others like this
I tried that as well and got the same result. Also, the man page says that each "access to" stanza is implicitly terminated by a "by * none", so specifying this seems to be unnecessary.
Absolutely. My bad.
A few things you could check here: 1) If this ACL is in the global context, per-database ACLs will precede it. They may be giving read access. 2) Run with loglevel ACL. The log will detail ACL evaluation, and you'll see exactly which ACL grants access.
Jonathan