Hi,
On my olcDatabase={1}bdb,cn=config I added an ACL : {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read by * auth
I don't understand why I have to add by * auth to allow the two previous users to be logged in ?
Thanks
Aurélien Lafranchise | Consultant Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11 www.snype-consulting.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/06/2011 01:47 PM, Aurélien Lafranchise wrote:
Hi,
On my olcDatabase={1}bdb,cn=config I added an ACL : {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read by
- auth
I don't understand why I have to add by * auth to allow the two previous users to be logged in ?
Most of the time when connecting to the ldap server, your connection starts unauthenticated and you are an anonymous user. To be able to authenticate via simple bind, the account's userPassword attribute needs to have an auth permission to be considered. The common thing to do is adding this as the first acl in the list:
olcAccess: {0}to attrs=userPassword by self write by * auth
If you want replication of user accounts, then you need to grant an additional privilege to the replication user to read it. Something like that:
olcAccess: {0}to * by dn.exact="the replication user's dn" read by * break olcAccess: {1}to attrs=userPassword by self write by * auth
You definitely need to read man slapd.access though.
- -- Ondrej Kuznik
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Hi
Thanks you very much, it was a very clear.
I already have the Administrator Guide 2.4 and it was not clear in it (as the way to configure it the first time).
Regards
Aurélien Lafranchise | Consultant Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11 www.snype-consulting.com
2011/6/7 Ondrej Kuznik ondrej.kuznik@acision.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/06/2011 01:47 PM, Aurélien Lafranchise wrote:
Hi,
On my olcDatabase={1}bdb,cn=config I added an ACL : {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read by
- auth
I don't understand why I have to add by * auth to allow the two previous users to be logged in ?
Most of the time when connecting to the ldap server, your connection starts unauthenticated and you are an anonymous user. To be able to authenticate via simple bind, the account's userPassword attribute needs to have an auth permission to be considered. The common thing to do is adding this as the first acl in the list:
olcAccess: {0}to attrs=userPassword by self write by * auth
If you want replication of user accounts, then you need to grant an additional privilege to the replication user to read it. Something like that:
olcAccess: {0}to * by dn.exact="the replication user's dn" read by * break olcAccess: {1}to attrs=userPassword by self write by * auth
You definitely need to read man slapd.access though.
Ondrej Kuznik -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3t4xQACgkQ9GWxeeH+cXs5GwCfUpamoPOEzal07OQ3Si1HdbgY TEwAnitJ4xrut/mc0KTj4mUTrec3mhD/ =DPhs -----END PGP SIGNATURE-----
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
openldap-technical@openldap.org