DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17599>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17599 auth ldap binds as user and loses access rights ------- Additional Comments From [EMAIL PROTECTED] 2003-10-23 08:50 ------- Here my slapd ACL configuration. Maybe it helps to reproduce the problem. # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below access to attribute=userPassword by dn="cn=admin,o=Silver Style Entertainment,c=de" write by anonymous auth by self write by * none access to attribute=lmPassword by dn="cn=admin,o=Silver Style Entertainment,c=de" write by anonymous auth by self write by * none access to attribute=ntPassword by dn="cn=admin,o=Silver Style Entertainment,c=de" write by anonymous auth by self write by * none # The admin dn has full write access access to * by dn="cn=admin,o=Silver Style Entertainment,c=de" write by * none # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to access to dn=".*,ou=Roaming,o=morsnet" by dn="cn=admin,o=Silver Style Entertainment,c=de" write by dnattr=owner write rootdn "cn=admin,o=Silver Style Entertainment,c=de" rootpw {MD5}************ password-hash {MD5} You will notice that a user has no access rights, except write access to the user password. So a user can't search for other users. But exactly that is what apache does if it tries to authenticate a second user. By default slapd grants read right for all. Often there is also a rule like this. access to * by self write by users read by anonymous auth In both cases apache has no problem because the search for a user works. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
