[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Acl on userPassword on a specfic base
- To: Marc Roos <M.Roos@f1-outsourcing.eu>, openldap-technical <openldap-technical@openldap.org>
- Subject: Re: Acl on userPassword on a specfic base
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Mon, 11 Nov 2019 16:30:37 -0800
- Content-disposition: inline
- In-reply-to: <"H000007100154cb3.1573511736.sx.f1-outsourcing.eu*"@MHS>
- References: <"H000007100154cb3.1573511736.sx.f1-outsourcing.eu*"@MHS>
--On Monday, November 11, 2019 11:35 PM +0100 Marc Roos
<M.Roos@f1-outsourcing.eu> wrote:
I have problems authenticating against this acl[0] with nslcd, if I
use[1] authentication is fine. I have the impression the dn.exact is not
able to access the password attribute, because getent shows the other
attributes. How should I rewrite this so the dn.exact is able to read
the password attributes from dn.subtree?
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self
read by ssf=256 anonymous auth by * none continue
The main issue I see is that "continue" doesn't work the way you seem to
think it does. "continue", as noted in the man page:
"the continue form allows for other <who> clauses in the same <access>
clause to be considered"
You have no additional clauses after the continue in *that* access clause,
so it has no effect.
I.e., for continue to work it would be something like:
access to whatever
by something +r continue
by something .....
Then the second "by something" would be processed.
To consider *multiple* access lines, you need to use the "break" keyword.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>