Tim Gustafson a écrit :
This is the first ACL in the file.
Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
-----Original Message----- From: Quanah Gibson-Mount quanah@zimbra.com
Date: Fri, 30 Jan 2009 17:24:47 To: Tim Gustafsontjg@soe.ucsc.edu; openldap-software@openldap.org Subject: Re: ACL Question
--On Friday, January 30, 2009 4:42 PM -0800 Tim Gustafson tjg@soe.ucsc.edu wrote:
Hi,
I have the following in my slapd.conf:
access to dn.subtree="cn=log" by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu" read
However, anyone (even unbound anonymous users) can access cn=log without any problems. I don't want anyone but ldap-admins to be able to access this subtree.
I'm thinking that I must be missing something really simple here. Am I doing something wrong? Any help is greatly appreciated.
What are your other acls? ACLs are applied as they are reached, so if a previous ACL allows access to cn=log, this one will never get evaluated.
Similarly, other ACLs after this one may grant access to cn=log.
Your current ACL only grants read access to the group ldap-admins. It doesn't specify rights for other users. Explicitly deny access to others like this:
access to dn.subtree="cn=log" by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu" read by * none
Jonathan