[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf - acl question



Hi,

see http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control
especially section 5.3.4 ASccess Control Evaluation that states

Within this priority, access directives are examined in the order in which 
they appear in the config file. Slapd stops with the first <what> selector 
that matches the entry and/or attribute. The corresponding access directive 
is the one slapd will use to evaluate access

and

Finally, slapd compares the access granted in the selected <access> clause to 
the access requested by the client. If it allows greater or equal access, 
access is granted. Otherwise, access is denied.

These two paragraphs should answer your questions.

Peter


  
On Monday 15 September 2003 16:29, Douglas B. Jones wrote:
> Hi,
>
> We are on 2.1.22 and I appear to have an acl problem. I have one access
> line (for test purposes) in my slapd.conf file with one db (bdb):
>
> access to attr=sn
> 	by * read
>
> When I do:
>
> ldapsearch -LLL '(uid=douglas)' sn
>
> I get no results. Here is the log file (I have loglevel set to 128):
>
> Sep 15 09:45:25 c01 slapd[17314]: bdb_initialize: Sleepycat Software:
> Berkeley D
> B 4.1.25: (December 19, 2002)
> Sep 15 09:45:25 c01 slapd[17314]: bdb_db_init: Initializing BDB database
> Sep 15 09:45:25 c01 slapd[17418]: slapd starting
> Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: search access to
> "uid=dougl
> as,ou=employee,dc=gpc,dc=edu" "uid" requested
> Sep 15 09:45:26 c01 slapd[17418]: => acl_get: [1] check attr uid
> Sep 15 09:45:26 c01 slapd[17418]: <= acl_get: done.
> Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: no more rules
>
> Any ideas why I get no results? If I stick 'access to * by * read',
> I get a result line as I expect:
>
> ldapsearch -LLL '(uid=douglas)' sn
> dn: uid=douglas,ou=employee,dc=gpc,dc=edu
> sn: Jones
>
> This leads me to believe I have to open all then restrict. I would
> rather have it closed and then open up as needed.
>
> I just did another test. In slapd.conf I have:
>
> access to *
> 	by * read
>
> access to *
> 	by * none
>
> I would think this would turn everything on then everything off, yet
> when I do a ldapsearch, I can see ALL attributes of who I look at.
> If I try it with no access line, then the default takes over that gives
> read access to anonymous.
>
> My main question is the one at the beginning, why if I have one access
> line of:
>
> access to attr=sn by * read
>
> not appear not to work?
>
> Thanks!
> Cheers,
> Douglas

-- 
Peter Marschall
eMail: peter@adpm.de