I figured that out too. I wasn't paying close enough attention to my binds.
On 09/05/2016 03:25 PM, John Lewis wrote: > I am going to remove my second. I understand > http://www.openldap.org/doc/admin24/access-control.html now. I was > confused between the the difference between the explicit SASL/EXTERNAL > and the bind I manged to do without the "-Y EXTERNAL" I did. > > On 09/01/2016 07:57 PM, John Lewis wrote: >> I am going to second this. >> >> On 09/01/2016 05:40 AM, Tom Jay wrote: >>> Hello, >>> >>> Can I make a request that certain features of the access control >>> documentation are emphasized? I've wasted quite a lot of time on >>> this and some simple rules (which already exist in the >>> documentation) would have been really helpful. These are: >>> >>> 8. Access Control >>> 8.2. Access Control via Static Configuration >>> 8.2.5. Access Control Examples >>> >>> To all attributes except homePhone, an entry can write to >>> itself, entries under example.com entries can search by them, >>> anybody else has no access (implicit by * none) excepting for >>> authentication/authorization (*which is always done anonymously*). >>> >>> The fact that authentication is always done anonymously, >>> even if anonymous binds are disabled in the configuration, >>> is very important. >>> >>> 8.2.4. Access Control Evaluation >>> >>> Slapd stops with the first <what> selector that matches the >>> entry and/or attribute. >>> >>> This is also very important, as it explains exactly how the >>> access rules are processed. >>> >>> The order of evaluation of access directives makes their >>> placement in the configuration file important. >>> >>> I don't think this is emphasized enough, as it is critical >>> to how the access rules are processed. >>> >>> Also, some mention of the ACL log level would be useful! >>> >>> >>> Thanks. >>> >>> >>> Tom >>> >>> >> >