Configuring access control

Ed Oskiewicz (eoskiewi@jungle.bt.co.uk)
Wed, 07 Aug 1996 16:26:25 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gordon Good: "Re: Trouble with objectclass attribute"
Previous message: Chris Irwin: "Trouble with objectclass attribute"
Next in thread: Gordon Good: "Re: Configuring access control"

I am having trouble figuring out how to set up an LDAP directory to provide
access controls which differ from attribute to attribute. What I want to do
is described below with the lines from my configuration file shown below the
description. These lines are taken from my config file and appear in it in
the order shown:

Allow the user to write their password but deny anyone else access

access to dn=".*, o=BT plc, c=gb"
attr=userPassword
by self write
by * none

Allow the user to update some attributes and anyone from BT to read them,
deny anyone else access

access to dn=".*, o=BT plc, c=gb"
attr=contact,Aaddr,Atel,Afax,Amobile,Aemail,Ahomepage,Aworkstation
by self write
by domain=.*\.bt\.co\.uk read
by * none

Allow anyone from bt to update this attribute

access to dn=".*, o=BT plc, c=gb"
attr=currLoc,
by domain=.*\.bt\.co\.uk write
by * none

When I fire up slapd and run ldapsearch without any authentication then all
user passwords are printed out on my screen. If I add

defaultaccess none

to the config file then only the rootdn can access entries, i.e. other users
cannot access even if their dn and password is specified. Is there something
elementary I have missed?

Cheers,

Ed Oskiewicz

---
      B54/76, BT Labs, Martlesham Heath, Ipswich, Suffolk, UK, IP5 7RE
	  oskiewicz_e_p@bt-web.bt.co.uk, eoskiewi@jungle.bt.co.uk
		  Tel +44 1473 640896, Fax +44 1473 640929

Next message: Gordon Good: "Re: Trouble with objectclass attribute"
Previous message: Chris Irwin: "Trouble with objectclass attribute"
Next in thread: Gordon Good: "Re: Configuring access control"