--On Tuesday, September 12, 2017 1:38 PM -0700 Ryan Tandy ryan@nardis.ca wrote:
On Mon, Sep 11, 2017 at 04:18:20PM -0500, Nick Gray wrote:
With this config,.shouldn't this work as well
ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config olcDatabase=*
The rules on your config database are:
olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
The first matches everything (*), so the second is never consulted.
Which is specifically noted in the slapd.access(5) man page:
The optional field <control> controls the flow of access rule application. It can have the forms
stop continue break
where stop, the default, means access checking stops in case of match.
So as noted in the man page, ACL processing stops at the first matching access rule.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Quanah Gibson-Mount