On Tue, Feb 15, 2011 at 02:52:19PM -0200, Leonardo Carneiro wrote:
####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb
# The base of your directory in database #1 suffix dc=dominio,dc=com,dc=br
OK so far, but this is your complete set of ACLs:
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only #access to * by anonymous read # by dn="cn=root,dc=dominio,dc=com,dc=br" write # by anonymous auth # by self write # by * none
# Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read
######### this last entry was commented. i uncommented to check if would change anything, but it haven't.
# The admin dn has full write access, everyone else # can read everything. #access to * # by dn="cn=admin,dc=nodomain" write # by * read
# For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=nodomain" write # by dnattr=owner write
... so all you have is anon access to the null DN.
The commented-out userPassword clause is getting close, but does not actually control userPassword...
I suggest you add this after the 'access to dn.base="" by * read' line:
access to attrs="userPassword" by self =w by * auth
access to * by * read
Andrew