[please keep replies on the list] > Thanks again for getting back to me. I am still working through your > suggestion. Just replying to you to clarify something: > > The ACL I am currently using for my attr=userPassword came from the > openldap > admin guide, here: > http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control > > However, you mentioned the ACL is incorrect. Other than the ordering, I > don't > see a difference. Am I missing something? If it is the ordering, I > apologize > for asking twice...but I must really be missing something. > > mine: > access to attr=userPassword > by self write > by dn.base="cn=Manager,dc=example,dc=com" write > by anonymous auth > by * none > > from the admin guide: > 24. access to attr=userPassword > 25. by self write > 26. by anonymous auth > 27. by dn.base="cn=Admin,dc=example,dc=com" write > 28. by * none
>> This ACL is incorrect, as indicated everywhere in the documentation, if >> by "ldap manager" you mean the "rootdn"; a correct one would be >> >> access to attr=userPassword >> by self write >> by anonymous auth Whn I said "incorrect" i meant something like "unnecessarily redundant"; compare mine with yours: you added two lines that are unnecessary and may cause performance penalty. As clearly stated in the slapd.access(5) man page and in the example slapd.conf that comes with the distribution, it is useless to add rules that grant permissions to the rootdn, because the rootdn bypasses access control (otherwise there would be little use for the rootdn itself); however, the rest of access control has to go thru comparing with that useless "by" clause all times. The "by * none" is a no go, because it's the default. You can add it as a reminder, but again, you're wasting resources. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
