On Fri, Jan 19, 2007 at 09:47:10PM -0800, Howard Chu wrote:
Alex Samad wrote:
On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
Think what you need here is
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by * break
access to attrs=userPassword by anonymous auth by self write by * none
access to * by * none
Yes, but sloppy. Don't use rules you don't need, and write rules that work with the natural order of processing:
access to attrs=userPassword by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by self write by anonymous auth
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
I.e., don't throw in gratuitous "break" statements when you don't need to.
agreed for this simple solution, but when you have a whole bundle of different attributes that you want uid=slurp to have root style access one not place it at the top. Otherwise you have to place it in 5-10 or 20-30 different access control blocks.
I suppose what would be nice is if you could define macros to be placed in access control block.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/