--On Tuesday, September 12, 2017 1:38 PM -0700 Ryan Tandy <[email protected]>
wrote:
On Mon, Sep 11, 2017 at 04:18:20PM -0500, Nick Gray wrote:
With this config,.shouldn't this work as well
ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config
olcDatabase=\*
The rules on your config database are:
olcAccess: {0} to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage
The first matches everything (*), so the second is never consulted.
Which is specifically noted in the slapd.access(5) man page:
The optional field <control> controls the flow of access rule
application. It can have the forms
stop
continue
break
where stop, the default, means access checking stops in case of
match.
So as noted in the man page, ACL processing stops at the first matching
access rule.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
