I am going to remove my second. I understand http://www.openldap.org/doc/admin24/access-control.html now. I was confused between the the difference between the explicit SASL/EXTERNAL and the bind I manged to do without the "-Y EXTERNAL" I did.
On 09/01/2016 07:57 PM, John Lewis wrote: > I am going to second this. > > On 09/01/2016 05:40 AM, Tom Jay wrote: >> Hello, >> >> Can I make a request that certain features of the access control >> documentation are emphasized? I've wasted quite a lot of time on this >> and some simple rules (which already exist in the documentation) >> would have been really helpful. These are: >> >> 8. Access Control >> 8.2. Access Control via Static Configuration >> 8.2.5. Access Control Examples >> >> To all attributes except homePhone, an entry can write to itself, >> entries under example.com entries can search by them, anybody >> else has no access (implicit by * none) excepting for >> authentication/authorization (*which is always done anonymously*). >> >> The fact that authentication is always done anonymously, even >> if anonymous binds are disabled in the configuration, is very >> important. >> >> 8.2.4. Access Control Evaluation >> >> Slapd stops with the first <what> selector that matches the entry >> and/or attribute. >> >> This is also very important, as it explains exactly how the >> access rules are processed. >> >> The order of evaluation of access directives makes their >> placement in the configuration file important. >> >> I don't think this is emphasized enough, as it is critical to >> how the access rules are processed. >> >> Also, some mention of the ACL log level would be useful! >> >> >> Thanks. >> >> >> Tom >> >> >
