Tim Gustafson wrote:
> Similarly, other ACLs after this one may grant access to cn=log.
> Your current ACL only grants read access to the group ldap-admins.
> It doesn't specify rights for other users. Explicitly deny access
> to others like this
I tried that as well and got the same result. Also, the man page
says that each "access to" stanza is implicitly terminated by a "by *
none", so specifying this seems to be unnecessary.
Absolutely. My bad.
A few things you could check here:
1) If this ACL is in the global context, per-database ACLs will precede
it. They may be giving read access.
2) Run with loglevel ACL. The log will detail ACL evaluation, and you'll
see exactly which ACL grants access.