Sweet, that worked! Thank you so much.
Can you include multiple sasl-regexp statement in the slapd.conf file? I would like to add a literal mapping such as: sasl-regexp uid=ldapadmin,cn=QM,cn=gssapi,cn=auth cn=ldapadmin,dc=qm since the other regexp is mapping the [EMAIL PROTECTED] principal to uid=ldapadmin,ou=people,dc=qm which is not correct. Thank you again for the help. I will read thru the manual this weekend so I can start tweaking Permissions on a per user basis. Cheers, Silas =0) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Karsten Gorling Sent: Thursday, September 22, 2005 2:23 PM To: [email protected] Subject: Re: ACL Headaches >* Bennett, Silas (GE Infrastructure) <[EMAIL PROTECTED]> [050922 23:09]: >> Ok, >> >> My slapd.access file now looks like: >> >> ######### >> olcAccess: to dn.base="" >> by dn="cn=ldapadmin,dc=qm" write >> by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write >> by dn.exact="uid=silasb,ou=people,dc=qm" write >> by self write >> by * read >> >> olcAccess: to * >> by dn="cn=ldapadmin,dc=qm" write >> by dn="uid=ldapadmin,cn=QM,cn=gssapi,cn=auth" write >> by dn.exact="uid=silasb,ou=people,dc=qm" write >> by * read >> ######### > >Is this exactly how your ACLs looks like? In "man slapd.conf" I >cannot find a olcAccess-Statement. > >Your ACLs should be something like that: > >SNIP--> ># Writing to the RootDSE is impossible (AFAIK), but everybody should be able ># to read the information there >access to dn.base="" > by * read > ># Everybody should be able to read the schema on the server >access to dn.base="cn=Subschema" > by * read > ># Access to back monitor (backend monitor must be enabled for this) ># only a privileged user should read this >accest to dn.subtree="cn=Monitor" > by dn.exact="dn_of_a_user_you_trust" read > ># Enableѕ write-Access for the given dn ># rootdn is omitted, since it has implicit always ># maximal access >access to dn.subtree "dc=qm" > by dn.exact="uid=silasb,ou=people,dc=qm" write > by * read ><--SNAP > >It should now work as expected. But I strongly recommend reading the >slapd.access Manpage. > > >-- >Max-Born-Institut (MBI)/Max-Born-Straße 2A/12489 Berlin/Karsten Gorling >Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 >E-Mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] >Instantmessenger: Jabber: [EMAIL PROTECTED] or ICQ: 95492828 >PGP-Fingerprint: 4BEF 23EA 02AE BACA 9918 31FF 285B 0426 0E1A B2FC >----------------- > encrypted E-Mail preferred <------------------------
