On Sat, 2010-10-09 at 09:53 +0200, Volker Potworowski wrote:
> access to *
> by dn.exact="cn=root,dc=teraphim,dc=de" read
> by * none
> access to attrs=userPassword
> by dn.base="cn=Manager,dc=teraphim,dc=de" write
> by anonymous auth
> by self write
> by * none
> access to attrs=shadowLastChange
> by self write
> by * read
> access to *
> by self write
> by * read
----
these ACL's are not good. ACL's are parsed from top to bottom and once a
controlling rule is hit, the rest is ignored. That means unless you are
binding as rootbinddn or 'cn=root,dc=teraphim,dc=de' (which I guess IS
rootbinddn) then you are locked out - period. Suggest that you change
them to something like this...
access to attrs=userPassword
by dn.base="cn=Manager,dc=teraphim,dc=de" write
by anonymous auth
by self write
by * none
# I'd probably at least comment this one out for now and I'm still
# not sure why you really care about this rule anyway
access to attrs=shadowLastChange
by anonymous auth
by self write
by * read
# you're going to have to adjust this next rule to match
# the setup of your DSA
access to dn.regex="^uid=([^,]+)ou=People,dc=teraphim,dc=de$$"
by self read
by dn.exact="cn=Manager,dc=teraphim,dc=de" write write
by anonymous auth
by * none
access to *
by anonymous auth
by self write
by * read
and I'm presuming that "cn=root,dc=teraphim,dc=de" is the rootbinddn in
which case any entries in ACL's are meaningless since rootbinddn is by
design permitted to do anything.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
