Re: slapd.conf - acl question

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Monday, September 15, 2003 6:35 PM -0400 "Aaron J. Angel" 
<uberfreak@darkphuture.org> wrote:

> Also, * does not include anonymous, does it?

Star (*) is everything, anonymous or not.

--Quanah


> On Mon, 15 Sep 2003 21:42:24 +0200, Peter Marschall <peter@adpm.de> wrote:
>
> > Hi,
> >
> > see http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control
> > especially section 5.3.4 ASccess Control Evaluation that states
> >
> > Within this priority, access directives are examined in the order in
> > which
> > they appear in the config file. Slapd stops with the first <what>
> > selector
> > that matches the entry and/or attribute. The corresponding access
> > directive
> > is the one slapd will use to evaluate access
> >
> > and
> >
> > Finally, slapd compares the access granted in the selected <access>
> > clause to
> > the access requested by the client. If it allows greater or equal access,
> > access is granted. Otherwise, access is denied.
> >
> > These two paragraphs should answer your questions.
> >
> > Peter
> >
> >
> >
> > On Monday 15 September 2003 16:29, Douglas B. Jones wrote:
> > > Hi,
> > >
> > > We are on 2.1.22 and I appear to have an acl problem. I have one access
> > > line (for test purposes) in my slapd.conf file with one db (bdb):
> > >
> > > access to attr=sn
> > > 	by * read
> > >
> > > When I do:
> > >
> > > ldapsearch -LLL '(uid=douglas)' sn
> > >
> > > I get no results. Here is the log file (I have loglevel set to 128):
> > >
> > > Sep 15 09:45:25 c01 slapd[17314]: bdb_initialize: Sleepycat Software:
> > > Berkeley D
> > > B 4.1.25: (December 19, 2002)
> > > Sep 15 09:45:25 c01 slapd[17314]: bdb_db_init: Initializing BDB database
> > > Sep 15 09:45:25 c01 slapd[17418]: slapd starting
> > > Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: search access to
> > > "uid=dougl
> > > as,ou=employee,dc=gpc,dc=edu" "uid" requested
> > > Sep 15 09:45:26 c01 slapd[17418]: => acl_get: [1] check attr uid
> > > Sep 15 09:45:26 c01 slapd[17418]: <= acl_get: done.
> > > Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: no more rules
> > >
> > > Any ideas why I get no results? If I stick 'access to * by * read',
> > > I get a result line as I expect:
> > >
> > > ldapsearch -LLL '(uid=douglas)' sn
> > > dn: uid=douglas,ou=employee,dc=gpc,dc=edu
> > > sn: Jones
> > >
> > > This leads me to believe I have to open all then restrict. I would
> > > rather have it closed and then open up as needed.
> > >
> > > I just did another test. In slapd.conf I have:
> > >
> > > access to *
> > > 	by * read
> > >
> > > access to *
> > > 	by * none
> > >
> > > I would think this would turn everything on then everything off, yet
> > > when I do a ldapsearch, I can see ALL attributes of who I look at.
> > > If I try it with no access line, then the default takes over that gives
> > > read access to anonymous.
> > >
> > > My main question is the one at the beginning, why if I have one access
> > > line of:
> > >
> > > access to attr=sn by * read
> > >
> > > not appear not to work?
> > >
> > > Thanks!
> > > Cheers,
> > > Douglas



--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html