John,
Please take a look at section 5.3.4 of the OpenLDAP Administrator's
Guide ( http://www.openldap.org/doc/admin23/slapdconf2.html#Access%
20Control ), "Access Control Evaluation". This material is not in the
slapd.access(5) man page nor any of the other man pages it points to.
This says, "Slapd stops with the first <what> selector that matches
the entry and/or attribute." which means it will stop when it finds
the first of your list and if the <who> associated with that one
doesn't fit the requester, it will apply the default. The other
directives will never be evaluated. That's why Quanah's suggestion is
correct.
This section is very helpful in understanding how to construct and
order your access directives. Hope this helps.
--
Marty
On Jul 14, 2005, at 7:44 AM, Quanah Gibson-Mount wrote:
--On Thursday, July 14, 2005 6:42 PM +0800 John Mok
<[EMAIL PROTECTED]> wrote:
access to *
by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write
access to *
by dn="uid=john/admin,cn=GSSAPI,cn=auth" write
access to *
by * read
This should be one statement:
access to *
by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write
by dn="uid=john/admin,cn=GSSAPI,cn=auth" write
by * read
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are
stronger
than ever in the present religio-political climate. They often
focus on
fantasy and sf books, which foster that deadly enemy to bigotry and
blind
faith, the imagination." -- Ursula K. Le Guin
