On Fri, Jan 19, 2007 at 09:47:10PM -0800, Howard Chu wrote: > Alex Samad wrote: > >On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote: > >>>I get problems with access control, however, that prevent it from > >>>working. > >>Yes...given > >>>access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write > >>>access to * by * none > > > >Think what you need here is > > > >access to * > > by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write > > by * break > > > >access to attrs=userPassword > > by anonymous auth > > by self write > > by * none > > > >access to * > > by * none > > > Yes, but sloppy. Don't use rules you don't need, and write rules that work > with the natural order of processing: > > access to attrs=userPassword > by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write > by self write > by anonymous auth > > access to * > by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write > > I.e., don't throw in gratuitous "break" statements when you don't need to.
agreed for this simple solution, but when you have a whole bundle of different attributes that you want uid=slurp to have root style access one not place it at the top. Otherwise you have to place it in 5-10 or 20-30 different access control blocks. I suppose what would be nice is if you could define macros to be placed in access control block. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > OpenLDAP Core Team http://www.openldap.org/project/ >
signature.asc
Description: Digital signature
