-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 20/12/2010, at 23:29, Richard Connon wrote:
Hi. I'm having some trouble reading certain attributes using non-root DNs on my directory. My olcAccess attributes on the relevant database are these:
olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell,gecos by self write by anonymous auth by * none olcAccess: {1}to * by * read
My understanding suggests that the second line should allow any user and even anonymous to read all attributes but I can't read the loginShell attribute as anonymous
No, this is correct.
The ACL's are evaluated in order. So in your query, the login shell is matched by the first ACL, and anonymous can only use it for binding
If it were another attribute, lets say UID, this wont match the first ACL, and will go down to the second one.
The general rule is targeted ACLs first, then generalised ones after.
William Brown
pgp.mit.edu