[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd.conf - acl question
Hi,
We are on 2.1.22 and I appear to have an acl problem. I have one access
line (for test purposes) in my slapd.conf file with one db (bdb):
access to attr=sn
by * read
When I do:
ldapsearch -LLL '(uid=douglas)' sn
I get no results. Here is the log file (I have loglevel set to 128):
Sep 15 09:45:25 c01 slapd[17314]: bdb_initialize: Sleepycat Software:
Berkeley D
B 4.1.25: (December 19, 2002)
Sep 15 09:45:25 c01 slapd[17314]: bdb_db_init: Initializing BDB database
Sep 15 09:45:25 c01 slapd[17418]: slapd starting
Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: search access to
"uid=dougl
as,ou=employee,dc=gpc,dc=edu" "uid" requested
Sep 15 09:45:26 c01 slapd[17418]: => acl_get: [1] check attr uid
Sep 15 09:45:26 c01 slapd[17418]: <= acl_get: done.
Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: no more rules
Any ideas why I get no results? If I stick 'access to * by * read',
I get a result line as I expect:
ldapsearch -LLL '(uid=douglas)' sn
dn: uid=douglas,ou=employee,dc=gpc,dc=edu
sn: Jones
This leads me to believe I have to open all then restrict. I would
rather have it closed and then open up as needed.
I just did another test. In slapd.conf I have:
access to *
by * read
access to *
by * none
I would think this would turn everything on then everything off, yet
when I do a ldapsearch, I can see ALL attributes of who I look at.
If I try it with no access line, then the default takes over that gives
read access to anonymous.
My main question is the one at the beginning, why if I have one access
line of:
access to attr=sn by * read
not appear not to work?
Thanks!
Cheers,
Douglas