[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACLs for anonymous access?
Hello;
I've frustrated myself with this for a few days now, and I just can't
seem to get it right. I have OpenLDAP 1.2.9 on Red Hat 6.1. I'm using
a Red Hat rpm for OpenLDAP.
I have things working quite well for the current application, which is
simply to serve information to qmail regarding mail account information.
To that end, I've defined the qmailUser, etc., and all is going well.
However, I'm planning on extending the function of the LDAP tree to allow
2 additional things: First, allow anonymous search of cn, sn, and mail
attributes to create a sort of "global addressbook" for my mail users.
Second, begin using the LDAP server with nss_ldap, pam_ldap, & auth_ldap
to authenticate users to Linux systems, web servers, etc. To facilitate
these additions, I've also made sure to that I can easily use the
posixAccount and shadowAccount objectclasses, and in fact, most of this
information is in the tree and currently unused.
My next step is to allow the anonymous search to a specific part of the
tree, and only specific attributes at that. I've added an ACL that I had
hoped would be correct, but after tweaking it for far too long, I believe
I've confused myself more than anything. I really need an explanation for
why this isn't working, and be told how to properly read the acl processing
logs. I'm quite sure I'm missing something obvious, but after taking a
long break and trying again, it didn't seem any clearer. Perhaps I need
to grant read, and not search access?
My current ACLs and an appropriate log entry follow. The log entry is from
the following command, which returns an empty result set:
ldapsearch "mail=jkm@tbred.com"
Here are the ACLs:
# Set the default access level
defaultaccess none
# Allow anonymous search to mail,cn,sn in base(ou=people,dc=tbred,dc=com)
access to dn=".+,ou=people,dc=tbred,dc=com"
attr=mail,cn,sn
by self write
by * search
# Give "jkm" access to *everything*, give full read to Admin.
access to *
by self write
by dn="cn=Admin,dc=tbred,dc=com" read
by dn="uid=jkm,ou=People,dc=tbred,dc=com" write
by * none
And the log entry:
: => access_allowed: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr
(mail)
: => acl_get: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr (mail)
: <= acl_get: [2] backend acl uid=jkm, ou=People, dc=tbred, dc=com attr:
mail
: => acl_access_allowed: search access to entry "uid=jkm, ou=People,
dc=tbred, dc=com"
: => acl_access_allowed: search access to value "JKM@TBRED.COM" by ""
: <= acl_access_allowed: matched by clause #2 access granted
: => access_allowed: exit (uid=jkm, ou=People, dc=tbred, dc=com) attr
(mail)
: => access_allowed: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr
(entry)
: => acl_get: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr (entry)
: <= acl_get: [3] backend acl uid=jkm, ou=People, dc=tbred, dc=com attr:
entry
: => acl_access_allowed: read access to entry "uid=jkm, ou=People,
dc=tbred, dc=com"
: => acl_access_allowed: read access to value "any" by ""
: <= acl_access_allowed: matched by clause #4 access denied
: => access_allowed: exit (uid=jkm, ou=People, dc=tbred, dc=com) attr
(entry)
: acl: access to entry not allowed
Much thanks to anyone who can shed some light on this for me. To me, these
ACLs seem pretty tough to work with. What am I missing here? I have
guessed
many things over the past hours, yet all seem to be wrong. Please don't be
gentle, I really *want* to understand this.
Thanks,
Jim McConnell