Hi Owen,
thanks for the explanation!
Now everything woks fine with these options:
access to dn.subtree="o=Administrators,dc=<base>"
by anonymous auth
access to dn.subtree="dc=<domain_1>,dc=<base>"
by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write
access to dn.subtree="dc=<domain_2>,dc=<base>"
by
dn="cn=Administrator1,ou=<domain_2>Administrators,o=Administrators,dc=<base>"
write
Thank you!
Carlo
2010/3/19 Owen Marshall <[email protected]>
> On Fri, 2010-03-19 at 12:54 +0100, Carlo Pradissitto wrote:
> > access to * by * write
> > #access to dn.subtree="dc=<domain_1>,dc=<base>" by * write
> > #access to dn.subtree="dc=<domain_1>,dc=<base>" by
> dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
> write
>
> With no access stanza, OpenLDAP defaults to:
>
> access to *
> by anonymous read
> by * none
>
> As soon as you assign an access stanza, this default goes away.
>
> As it stands, you are not giving Administrator1 any permission to bind.
> Your access stanza doesn't mention anything under the administrative
> section.
>
> At the very least, you will need something like:
> access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind
>
> You *will* need to fine-tune this. ;-)
>
> Some decent information on ACLs can be found at
> http://www.zytrax.com/books/ldap/ch6/
>
> Also, set debug level 128 to view ACL processing -- this will be
> invaluable to you.
>
> --
> Owen Marshall
> FacilityONE
> [email protected] | (502) 805-2126
>
>
