[Date Prev][Date Next] [Chronological] [Thread] [Top]

Réf. : RE: ACL : ldap_bind: Insufficient access (50)




Hello,
thank you for your help.
But i have a problem when i use the directive group on my ACL. This is my
ACL in my slapd.conf

access to  *
        by anonymous auth
        by group="cn=LpfAdministatorsGroup,ou=LpfAdministrators,o=lpfroot"      write

and this is the group :

dn: cn=LpfAdministratorsGroup,ou=LpfAdministrators,o=lpfroot
cn: LpfAdministratorsGroup
objectClass: top
objectClass: groupOfNames
member: uid=lpfadmin, ou=LpfAdministrators, o=lpfroot


when i make the following command, i have this result:

ldapsearch -h "HOST" -p PORT -D "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" -W -b "o=lpfroot" "(objectclass=*)"
                                           <
Enter LDAP Password:

# extended LDIF
#
# LDAPv3
# base <o=lpfroot> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Consequently, i don't see any entry of my database.

Thanks in advance





Francois Beretti <francois.beretti@enatel.com>@OpenLDAP.org sur 26/06/2003
17:08:00

Envoyé par :      owner-openldap-software@OpenLDAP.org


Pour : <kader.seddak@bull.net>, <openldap-software@OpenLDAP.org>
cc :
Objet :     RE: ACL : ldap_bind: Insufficient access (50)


Before beeing authenticated, you are anonymous
to be the "self" of your acl you need to authenticate yourself
to authenticate you need to access the userPassword attribute of your entry
with "auth" access
but as your ACL say, anonymous has no access to the userPassword atribute
of
any entry
so anonymous can't do authentication
so you can't authenticate yourself
so you can't be the "self" of any entry
only "self" has access to any data in your directory
so you can't access your entry

you need to add "by anonymous auth" in your acl

regards

Francois

> -----Message d'origine-----
> De : owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]De la part de
> kader.seddak@bull.net
> Envoye : jeudi 26 juin 2003 16:06
> A : openldap-software@OpenLDAP.org
> Objet : ACL : ldap_bind: Insufficient access (50)
>
>
>
> Hello,
> in my slapd.conf, i write this ACL to allow all entry to access
> in her self
> entry :
>
> access to *
>         by self write
>
>
> and when i make a search in my database with this command, i have this
> error :
> ./ldapsearch -h "HOST" -p PORT -D
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" -W -b
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" "(objectclass=*)"
> Enter LDAP Password:
> ldap_bind: Insufficient access (50)
>
>
> slapd debug with -d 255 :
>
> >>> dnPrettyNormal: <uid=lpfadmin,ou=LpfAdministrators,o=lpfroot>
> => ldap_bv2dn(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot,0)
> <= ldap_bv2dn(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot,0)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot,272)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=lpfadmin,ou=lpfadministrators,o=lpfroot,272)=0
> <<< dnPrettyNormal:
> <uid=lpfadmin,ou=LpfAdministrators,o=lpfroot>,
> <uid=lpfadmin,ou=lpfadministrators,o=lpfroot>
> do_bind: version=3
> dn="uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" method=128
> ==> bdb_bind: dn: uid=lpfadmin,ou=LpfAdministrators,o=lpfroot
> bdb_dn2entry_rw("uid=lpfadmin,ou=lpfadministrators,o=lpfroot")
> => bdb_dn2id_matched( "uid=lpfadmin,ou=lpfadministrators,o=lpfroot" )
> <= bdb_dn2id_matched: id=0x00000018: entry
> uid=lpfadmin,ou=lpfadministrators,o=lpfroot
> entry_decode: "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot"
> <= entry_decode(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot)
> => access_allowed: auth access to
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" "userPassword" requested
> => acl_get: [1] check attr userPassword
> <= acl_get: [1] acl uid=lpfadmin,ou=LpfAdministrators,o=lpfroot
> attr: userPassword
> => acl_mask: access to entry
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot", attr
> "userPassword" requested
> => acl_mask: to all values by "", (=n)
> <= check a_dn_pat: self
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: auth access denied by =n
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=50 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=50
> ber_flush: 14 bytes to sd 16
>
> Thanks in advance
>
>
>