Hi,
I have most of this bloody long ACL working right, but I still need an anonymous access to any entry under the "ou=people,o=linfield.edu" base DN for the purpose of authentication. I need to be able to search on the UID in order to retrieve the full DN of the entry. None of my trials have been successful. Can someone please help?
Thanks, Rob
access to dn.one="ou=people,o=linfield.edu" attrs=userpassword by anonymous auth
access to dn.one="ou=people,o=linfield.edu" by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa administrators,ou=People,o=linfield.edu" read
access to dn.one="ou=people,o=linfield.edu" filter=(!(ou=student)) by * read
access to dn.one="ou=people,o=linfield.edu" filter=(&(!(ferpaStatus=Private))(!(entryStatus=Inactive))(ou=student)) by * read
access to dn.one="ou=people,o=linfield.edu" filter=(&(!(ou=Student))(!(entryStatus=Inactive))) by * read
access to dn.one="ou=people,o=linfield.edu"
attrs=userPassword,maillocaladdress,useDefaultAlias,spamdisposition,checkForDirtyWords by self write
At 03:18 PM 12/4/2006, Rob Tanner wrote:
I have most of this bloody long ACL working right,
You seem to have forgotted that evaluation stops (by default) at the first matching accessing statement.
but I still need an anonymous access to any entry under the "ou=people,o=linfield.edu" base DN for the purpose of authentication. I need to be able to search on the UID in order to retrieve the full DN of the entry. None of my trials have been successful. Can someone please help?
Order matters. I suggest you read the Admin Guide and FAQ discussion of access controls to get a basic understanding of how access controls should be ordered. http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control http://www.openldap.org/faq/index.cgi?file=1375 http://www.openldap.org/faq/index.cgi?file=189
Thanks, Rob
access to dn.one="ou=people,o=linfield.edu" attrs=userpassword by anonymous auth
access to dn.one="ou=people,o=linfield.edu" by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa administrators,ou=People,o=linfield.edu" read
access to dn.one="ou=people,o=linfield.edu" filter=(!(ou=student)) by * read
access to dn.one="ou=people,o=linfield.edu" filter=(&(!(ferpaStatus=Private))(!(entryStatus=Inactive))(ou=student)) by * read
access to dn.one="ou=people,o=linfield.edu" filter=(&(!(ou=Student))(!(entryStatus=Inactive))) by * read
access to dn.one="ou=people,o=linfield.edu"
attrs=userPassword,maillocaladdress,useDefaultAlias,spamdisposition,checkForDirtyWords by self write
--
Rob Tanner UNIX Services Manager Linfield College, McMinnville OR
openldap-software@openldap.org