Howard Chu wrote:
access to attrs=userPassword by group="ou=Simple Bind" auth by * break
Not quite. "auth" operations are always anonymous.
It would need to be something like
access to dn.one="ou=Simple Bind" attrs=userPassword by anonymous auth
access to attrs=userPassword val.regex="^{SASL}.*" by * auth
Right. A set would allow to define a group of users allowed to simple bind without physically placing them under that entry; something like
access to attrs=userPassword by set="[ou=Simple Bind]/member & this" auth
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------