https://bugs.openldap.org/show_bug.cgi?id=9256
--- Comment #18 from Ondřej Kuzník <[email protected]> --- On Tue, Aug 31, 2021 at 10:32:52AM +0000, [email protected] wrote: > In the patch, the line: > +attribute of the authorizing identity and/or on the > ends with a space. > > Moreover, > https://www.openldap.org/doc/admin25/access-control.html#Basic%20ACLs > states: Thanks for taking time to review this, would you be also adapt the proposed patch with your suggestions and submit a MR? > Generally one should start with some basic ACLs such as: > > access to attrs=userPassword > by self =xw > by anonymous auth > by * none > > > access to * > by self write > by users read > by * none > > > Per https://bugs.openldap.org/show_bug.cgi?id=9657, for SIMPLE bind, anonymous > needs auth access only to the userPassword attribute, but for SASL bind, > anonymous needs access to the whole entry. > > I propose removing "by * none", as it is implicit. I my view, documentation should be explicit about defaults like this and suggest their use where appropriate. > I propose extending the patch, to state for this particular example, that the > example is suitable for SIMPLE bind, and unsuitable for SASL bind. (well > “access to attrs=userPassword by self =xz” shall still be preserved). Provide > example that works with SASL bind, e.g. > > access to attrs=userPassword > by self =xw > > access to * > by anonymous auth > by self write > by users read > > (without by * none, since it is explicit). Thanks, -- You are receiving this mail because: You are on the CC list for the issue.
