Re: Configuring access control
Gordon Good (ggood@netscape.com)
Sun, 11 Aug 1996 15:28:09 -0700
Ed Oskiewicz wrote:
>
> I am having trouble figuring out how to set up an LDAP directory to provide
> access controls which differ from attribute to attribute. What I want to do
> is described below with the lines from my configuration file shown below the
> description. These lines are taken from my config file and appear in it in
> the order shown:
>
> Allow the user to write their password but deny anyone else access
>
> access to dn=".*, o=BT plc, c=gb"
> attr=userPassword
> by self write
> by * none
>
> Allow the user to update some attributes and anyone from BT to read them,
> deny anyone else access
>
> access to dn=".*, o=BT plc, c=gb"
> attr=contact,Aaddr,Atel,Afax,Amobile,Aemail,Ahomepage,Aworkstation
> by self write
> by domain=.*\.bt\.co\.uk read
> by * none
>
> Allow anyone from bt to update this attribute
>
> access to dn=".*, o=BT plc, c=gb"
> attr=currLoc,
> by domain=.*\.bt\.co\.uk write
> by * none
>
> When I fire up slapd and run ldapsearch without any authentication then all
> user passwords are printed out on my screen. If I add
>
> defaultaccess none
>
> to the config file then only the rootdn can access entries, i.e. other users
> cannot access even if their dn and password is specified. Is there something
> elementary I have missed?
>
> Cheers,
There are some DN normalization bugs in the access control code in
slapd-3.3. If this is what your problem is, then a workaround would be
to normalize the DNs in the access control directives. By "normalize" I
mean remove any spaces between the DN components, e.g.:
cn=Gordon Good, o=Netscape Communications Corp., c=US
is not normalized, while
cn=Gordon Good,o=Netscape Communications Corp.,c=US
Hope this helps.
--
Gordon Good (opinions expressed here are mine,
Netscape Communications Corp. not necessarily my employer's)
Mountain View, CA