>>> access to * >>> by * read >>> access to attrs=userPassword >>> by self write >>> by * auth >> >> This looks correct. > > Actually, I have a question about this. Since access to * by * read comes > first, won't the second ACL never be evaluated? My understanding of > OpenLDAP ACL's is they stop at the first matching ACL that gives any sort > of access (unless there is a by * break in there). And besides, isn't > this ACL particularly insecure, in that it would allow anyone to read > anyone elses password? I would expect that these two ACL's should be > reversed.
Gotcha. Sorry for the wrong indication. p. -- Pierangelo Masarati mailto:[EMAIL PROTECTED] SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
