Configuring access control

Ed Oskiewicz (
Wed, 07 Aug 1996 16:26:25 +0100

I am having trouble figuring out how to set up an LDAP directory to provide
access controls which differ from attribute to attribute. What I want to do
is described below with the lines from my configuration file shown below the
description. These lines are taken from my config file and appear in it in
the order shown:

Allow the user to write their password but deny anyone else access

access to dn=".*, o=BT plc, c=gb"
by self write
by * none

Allow the user to update some attributes and anyone from BT to read them,
deny anyone else access

access to dn=".*, o=BT plc, c=gb"
by self write
by domain=.*\.bt\.co\.uk read
by * none

Allow anyone from bt to update this attribute

access to dn=".*, o=BT plc, c=gb"
by domain=.*\.bt\.co\.uk write
by * none

When I fire up slapd and run ldapsearch without any authentication then all
user passwords are printed out on my screen. If I add

defaultaccess none

to the config file then only the rootdn can access entries, i.e. other users
cannot access even if their dn and password is specified. Is there something
elementary I have missed?


Ed Oskiewicz

      B54/76, BT Labs, Martlesham Heath, Ipswich, Suffolk, UK, IP5 7RE,
		  Tel +44 1473 640896, Fax +44 1473 640929