Tim Gustafson wrote:
> Similarly, other ACLs after this one may grant access to cn=log.
> Your current ACL only grants read access to the group ldap-admins.
> It doesn't specify rights for other users. Explicitly deny access
> to others like this
I tried that as well and got the same result. Also, the man page
says that each "access to" stanza is implicitly terminated by a "by *
none", so specifying this seems to be unnecessary.
Absolutely. My bad.
A few things you could check here:
1) If this ACL is in the global context, per-database ACLs will precede
it. They may be giving read access.
2) Run with loglevel ACL. The log will detail ACL evaluation, and you'll
see exactly which ACL grants access.
Jonathan