Tim Gustafson a écrit : > This is the first ACL in the file. > > > Tim Gustafson > SOE Webmaster > UC Santa Cruz > [email protected] > 831-459-5354 > > -----Original Message----- > From: Quanah Gibson-Mount <[email protected]> > > Date: Fri, 30 Jan 2009 17:24:47 > To: Tim Gustafson<[email protected]>; <[email protected]> > Subject: Re: ACL Question > > > --On Friday, January 30, 2009 4:42 PM -0800 Tim Gustafson > <[email protected]> wrote: > >> Hi, >> >> I have the following in my slapd.conf: >> >> access to dn.subtree="cn=log" >> by >> group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu" >> read >> >> However, anyone (even unbound anonymous users) can access cn=log without >> any problems. I don't want anyone but ldap-admins to be able to access >> this subtree. >> >> I'm thinking that I must be missing something really simple here. Am I >> doing something wrong? Any help is greatly appreciated. > > What are your other acls? ACLs are applied as they are reached, so if a > previous ACL allows access to cn=log, this one will never get evaluated.
Similarly, other ACLs after this one may grant access to cn=log. Your current ACL only grants read access to the group ldap-admins. It doesn't specify rights for other users. Explicitly deny access to others like this: access to dn.subtree="cn=log" by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu" read by * none Jonathan
