Jonathan Clarke wrote:
access to dn.subtree="ou=Users,dc=example,dc=com"
by dn="uid=Operator,ou=Users,dc=example,dc=com" write
by * read
by self write
by dn="uid=replica,ou=Users,dc=example,dc=com" write
by anonymous auth
by * none
Be careful - none of the "by" clauses after the 2nd ("by * read") will
be read. The first matching clause wins, and "*" matches everyone.
auth is only meaningful on the userPassword attribute, which you already
granted in your first ACL (well, except some implicit searches during
bind, but this is a rare case).
Thanks for an explanation - it's now more clear to me how these rules
are processed.
--
Tomasz Chmielewski
http://wpkg.org