Hi
Thanks you very much, it was a very clear.
I already have the Administrator Guide 2.4 and it was not clear in it (as
the way to configure it the first time).
Regards
Aurélien Lafranchise | Consultant
Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11
www.snype-consulting.com
2011/6/7 Ondrej Kuznik <ondrej.kuz...@acision.com>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/06/2011 01:47 PM, Aurélien Lafranchise wrote:
> > Hi,
> >
> > On my olcDatabase={1}bdb,cn=config I added an ACL :
> > {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read by
> > * auth
> >
> > I don't understand why I have to add by * auth to allow the two previous
> > users to be logged in ?
>
> Most of the time when connecting to the ldap server, your connection
> starts unauthenticated and you are an anonymous user. To be able to
> authenticate via simple bind, the account's userPassword attribute needs
> to have an auth permission to be considered. The common thing to do is
> adding this as the first acl in the list:
>
> olcAccess: {0}to attrs=userPassword by self write by * auth
>
> If you want replication of user accounts, then you need to grant an
> additional privilege to the replication user to read it. Something like
> that:
>
> olcAccess: {0}to * by dn.exact="the replication user's dn" read by *
> break
> olcAccess: {1}to attrs=userPassword by self write by * auth
>
> You definitely need to read man slapd.access though.
>
> - --
> Ondrej Kuznik
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3t4xQACgkQ9GWxeeH+cXs5GwCfUpamoPOEzal07OQ3Si1HdbgY
> TEwAnitJ4xrut/mc0KTj4mUTrec3mhD/
> =DPhs
> -----END PGP SIGNATURE-----
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
>
>
>
