Hello,
Can I make a request that certain features of the access control documentation are emphasized? I've wasted quite a lot of time on this and some simple rules (which already exist in the documentation) would have been really helpful. These are:
8. Access Control 8.2. Access Control via Static Configuration 8.2.5. Access Control Examples
To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (which is always done anonymously).
The fact that authentication is always done anonymously, even if anonymous binds are disabled in the configuration, is very important.
8.2.4. Access Control Evaluation
Slapd stops with the first <what> selector that matches the entry and/or attribute.
This is also very important, as it explains exactly how the access rules are processed.
The order of evaluation of access directives makes their placement in the configuration file important.
I don't think this is emphasized enough, as it is critical to how the access rules are processed.
Also, some mention of the ACL log level would be useful!
Thanks.
Tom
I am going to second this.
On 09/01/2016 05:40 AM, Tom Jay wrote:
Hello,
Can I make a request that certain features of the access control documentation are emphasized? I've wasted quite a lot of time on this and some simple rules (which already exist in the documentation) would have been really helpful. These are:
- Access Control
8.2. Access Control via Static Configuration 8.2.5. Access Control Examples
To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (*which is always done anonymously*). The fact that authentication is always done anonymously, even if anonymous binds are disabled in the configuration, is very important.
8.2.4. Access Control Evaluation
Slapd stops with the first <what> selector that matches the entry and/or attribute. This is also very important, as it explains exactly how the access rules are processed. The order of evaluation of access directives makes their placement in the configuration file important. I don't think this is emphasized enough, as it is critical to how the access rules are processed.
Also, some mention of the ACL log level would be useful!
Thanks.
Tom
I am going to remove my second. I understand http://www.openldap.org/doc/admin24/access-control.html now. I was confused between the the difference between the explicit SASL/EXTERNAL and the bind I manged to do without the "-Y EXTERNAL" I did.
On 09/01/2016 07:57 PM, John Lewis wrote:
I am going to second this.
On 09/01/2016 05:40 AM, Tom Jay wrote:
Hello,
Can I make a request that certain features of the access control documentation are emphasized? I've wasted quite a lot of time on this and some simple rules (which already exist in the documentation) would have been really helpful. These are:
- Access Control
8.2. Access Control via Static Configuration 8.2.5. Access Control Examples
To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (*which is always done anonymously*). The fact that authentication is always done anonymously, even if anonymous binds are disabled in the configuration, is very important.
8.2.4. Access Control Evaluation
Slapd stops with the first <what> selector that matches the entry and/or attribute. This is also very important, as it explains exactly how the access rules are processed. The order of evaluation of access directives makes their placement in the configuration file important. I don't think this is emphasized enough, as it is critical to how the access rules are processed.
Also, some mention of the ACL log level would be useful!
Thanks.
Tom
I figured that out too. I wasn't paying close enough attention to my binds.
On 09/05/2016 03:25 PM, John Lewis wrote:
I am going to remove my second. I understand http://www.openldap.org/doc/admin24/access-control.html now. I was confused between the the difference between the explicit SASL/EXTERNAL and the bind I manged to do without the "-Y EXTERNAL" I did.
On 09/01/2016 07:57 PM, John Lewis wrote:
I am going to second this.
On 09/01/2016 05:40 AM, Tom Jay wrote:
Hello,
Can I make a request that certain features of the access control documentation are emphasized? I've wasted quite a lot of time on this and some simple rules (which already exist in the documentation) would have been really helpful. These are:
- Access Control
8.2. Access Control via Static Configuration 8.2.5. Access Control Examples
To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (*which is always done anonymously*). The fact that authentication is always done anonymously, even if anonymous binds are disabled in the configuration, is very important.
8.2.4. Access Control Evaluation
Slapd stops with the first <what> selector that matches the entry and/or attribute. This is also very important, as it explains exactly how the access rules are processed. The order of evaluation of access directives makes their placement in the configuration file important. I don't think this is emphasized enough, as it is critical to how the access rules are processed.
Also, some mention of the ACL log level would be useful!
Thanks.
Tom
OpenLDAP is a volunteers driven project. Feel free to contribute. See http://www.openldap.org/devel/contribution
-Dieter
Gesendet mit BlueMail
Am 2. Sep. 2016, 00:21, um 00:21, Tom Jay tom_jay@hotmail.com schrieb:
Hello,
Can I make a request that certain features of the access control documentation are emphasized? I've wasted quite a lot of time on this and some simple rules (which already exist in the documentation) would have been really helpful. These are:
- Access Control
8.2. Access Control via Static Configuration 8.2.5. Access Control Examples
To all attributes except homePhone, an entry can write to itself, entries under example.com entries can search by them, anybody else has no access (implicit by * none) excepting for authentication/authorization (which is always done anonymously).
The fact that authentication is always done anonymously, even if anonymous binds are disabled in the configuration, is very important.
8.2.4. Access Control Evaluation
Slapd stops with the first <what> selector that matches the entry and/or attribute.
This is also very important, as it explains exactly how the access rules are processed.
The order of evaluation of access directives makes their placement in the configuration file important.
I don't think this is emphasized enough, as it is critical to how the access rules are processed.
Also, some mention of the ACL log level would be useful!
Thanks.
Tom
openldap-technical@openldap.org